Permit list usage cleanup and clearer documentation

author: Kevin Deisz <kevin.deisz@gmail.com> 2018-08-27 09:30:05 -0400
committer: Kevin Deisz <kevin.deisz@gmail.com> 2018-08-27 09:51:46 -0400
commit: 7c9751d7fe3aec1e67004d1bb5e4a1702fcacafb (patch)
tree: f67885f8ceeee2b867a451afcab6a145425dcadb /activerecord/lib
parent: 0efecd913c07104e8fba82d5044c1ad824af68d5 (diff)
download: rails-7c9751d7fe3aec1e67004d1bb5e4a1702fcacafb.tar.gz
rails-7c9751d7fe3aec1e67004d1bb5e4a1702fcacafb.tar.bz2
rails-7c9751d7fe3aec1e67004d1bb5e4a1702fcacafb.zip
4 files changed, 13 insertions, 11 deletions
diff --git a/activerecord/lib/active_record/attribute_methods.rb b/activerecord/lib/active_record/attribute_methods.rb
index 2e68bdd741..1d18119c66 100644
--- a/activerecord/lib/active_record/attribute_methods.rb
+++ b/activerecord/lib/active_record/attribute_methods.rb
@@ -167,12 +167,14 @@ module ActiveRecord
         end
       end
 
-      # Regexp permitted list. Matches the following:
+      # Regexp for column names (with or without a table name prefix). Matches
+      # the following:
       #   "#{table_name}.#{column_name}"
       #   "#{column_name}"
-      COLUMN_NAME_PERMIT_LIST = /\A(?:\w+\.)?\w+\z/i
+      COLUMN_NAME = /\A(?:\w+\.)?\w+\z/i
 
-      # Regexp permitted list. Matches the following:
+      # Regexp for column names with order (with or without a table name
+      # prefix, with or without various order modifiers). Matches the following:
       #   "#{table_name}.#{column_name}"
       #   "#{table_name}.#{column_name} #{direction}"
       #   "#{table_name}.#{column_name} #{direction} NULLS FIRST"
@@ -181,7 +183,7 @@ module ActiveRecord
       #   "#{column_name} #{direction}"
       #   "#{column_name} #{direction} NULLS FIRST"
       #   "#{column_name} NULLS LAST"
-      COLUMN_NAME_ORDER_PERMIT_LIST = /
+      COLUMN_NAME_WITH_ORDER = /
         \A
         (?:\w+\.)?
         \w+
@@ -190,12 +192,12 @@ module ActiveRecord
         \z
       /ix
 
-      def enforce_raw_sql_permit_list(args, permit_list: COLUMN_NAME_PERMIT_LIST) # :nodoc:
+      def disallow_raw_sql!(args, permit: COLUMN_NAME) # :nodoc:
         unexpected = args.reject do |arg|
           arg.kind_of?(Arel::Node) ||
             arg.is_a?(Arel::Nodes::SqlLiteral) ||
             arg.is_a?(Arel::Attributes::Attribute) ||
-            arg.to_s.split(/\s*,\s*/).all? { |part| permit_list.match?(part) }
+            arg.to_s.split(/\s*,\s*/).all? { |part| permit.match?(part) }
         end
 
         return if unexpected.none?
diff --git a/activerecord/lib/active_record/relation/calculations.rb b/activerecord/lib/active_record/relation/calculations.rb
index ad9ccfa215..0fa5ba2e50 100644
--- a/activerecord/lib/active_record/relation/calculations.rb
+++ b/activerecord/lib/active_record/relation/calculations.rb
@@ -190,7 +190,7 @@ module ActiveRecord
         relation = apply_join_dependency
         relation.pluck(*column_names)
       else
-        enforce_raw_sql_permit_list(column_names)
+        disallow_raw_sql!(column_names)
         relation = spawn
         relation.select_values = column_names.map { |cn|
           @klass.has_attribute?(cn) || @klass.attribute_alias?(cn) ? arel_attribute(cn) : cn
diff --git a/activerecord/lib/active_record/relation/query_methods.rb b/activerecord/lib/active_record/relation/query_methods.rb
index 4a6ffea3e7..56497e11cb 100644
--- a/activerecord/lib/active_record/relation/query_methods.rb
+++ b/activerecord/lib/active_record/relation/query_methods.rb
@@ -1133,9 +1133,9 @@ module ActiveRecord
         end
         order_args.flatten!
 
-        @klass.enforce_raw_sql_permit_list(
+        @klass.disallow_raw_sql!(
           order_args.flat_map { |a| a.is_a?(Hash) ? a.keys : a },
-          permit_list: AttributeMethods::ClassMethods::COLUMN_NAME_ORDER_PERMIT_LIST
+          permit: AttributeMethods::ClassMethods::COLUMN_NAME_WITH_ORDER
         )
 
         validate_order_args(order_args)
diff --git a/activerecord/lib/active_record/sanitization.rb b/activerecord/lib/active_record/sanitization.rb
index d398d03ebb..3485d9e557 100644
--- a/activerecord/lib/active_record/sanitization.rb
+++ b/activerecord/lib/active_record/sanitization.rb
@@ -61,8 +61,8 @@ module ActiveRecord
       #   # => "id ASC"
       def sanitize_sql_for_order(condition)
         if condition.is_a?(Array) && condition.first.to_s.include?("?")
-          enforce_raw_sql_permit_list([condition.first],
-            permit_list: AttributeMethods::ClassMethods::COLUMN_NAME_ORDER_PERMIT_LIST
+          disallow_raw_sql!([condition.first],
+            permit: AttributeMethods::ClassMethods::COLUMN_NAME_WITH_ORDER
           )
 
           # Ensure we aren't dealing with a subclass of String that might
author	Kevin Deisz <kevin.deisz@gmail.com>	2018-08-27 09:30:05 -0400
committer	Kevin Deisz <kevin.deisz@gmail.com>	2018-08-27 09:51:46 -0400
commit	7c9751d7fe3aec1e67004d1bb5e4a1702fcacafb (patch)
tree	f67885f8ceeee2b867a451afcab6a145425dcadb /activerecord/lib
parent	0efecd913c07104e8fba82d5044c1ad824af68d5 (diff)
download	rails-7c9751d7fe3aec1e67004d1bb5e4a1702fcacafb.tar.gz rails-7c9751d7fe3aec1e67004d1bb5e4a1702fcacafb.tar.bz2 rails-7c9751d7fe3aec1e67004d1bb5e4a1702fcacafb.zip