DGNum/demarches-normaliennes
15
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

[#3477] Let where_ilike take care of necessary sanitizing

Browse source
This commit is contained in:
Frederic Merizen 2019-02-26 19:21:33 +01:00 committed by Frederic Merizen
parent e098779c5e
commit d24fb5d186
1 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
app/models/procedure_presentation.rb
View file

@ -103,7 +103,6 @@ class ProcedurePresentation < ApplicationRecord
dossiers.each { |dossier| assert_matching_procedure(dossier) } dossiers.each { |dossier| assert_matching_procedure(dossier) }
filters[statut].group_by { |filter| filter.slice('table', 'column') } .map do |field, filters| filters[statut].group_by { |filter| filter.slice('table', 'column') } .map do |field, filters|
table, column = field.values_at('table', 'column') table, column = field.values_at('table', 'column')
table_column = self.class.sanitized_column(table, column)
values = filters.pluck('value') values = filters.pluck('value')
case table case table
when 'self' when 'self'
@ -119,7 +118,7 @@ class ProcedurePresentation < ApplicationRecord
dossiers dossiers
.includes(relation) .includes(relation)
.where("champs.type_de_champ_id = ?", column.to_i) .where("champs.type_de_champ_id = ?", column.to_i)
).where_ilike('champs.value', values) ).where_ilike(:champ, :value, values)
when 'etablissement' when 'etablissement'
if column == 'entreprise_date_creation' if column == 'entreprise_date_creation'
dates = values.map { |v| v.to_date rescue nil } dates = values.map { |v| v.to_date rescue nil }
@ -130,13 +129,13 @@ class ProcedurePresentation < ApplicationRecord
Filter.new( Filter.new(
dossiers dossiers
.includes(table) .includes(table)
).where_ilike(table_column, values) ).where_ilike(table, column, values)
end end
when 'user', 'individual' when 'user', 'individual'
Filter.new( Filter.new(
dossiers dossiers
.includes(table) .includes(table)
).where_ilike(table_column, values) ).where_ilike(table, column, values)
end.pluck(:id) end.pluck(:id)
end.reduce(:&) end.reduce(:&)
end end
@ -185,7 +184,8 @@ class ProcedurePresentation < ApplicationRecord
end end
end end
def where_ilike(table_column, values) def where_ilike(table, column, values)
table_column = ProcedurePresentation.sanitized_column(table, column)
q = Array.new(values.count, "(#{table_column} ILIKE ?)").join(' OR ') q = Array.new(values.count, "(#{table_column} ILIKE ?)").join(' OR ')
@dossiers.where(q, *(values.map { |value| "%#{value}%" })) @dossiers.where(q, *(values.map { |value| "%#{value}%" }))
end end