1 files changed, 71 insertions, 36 deletions
diff --git a/activerecord/lib/active_record/relation/query_methods.rb b/activerecord/lib/active_record/relation/query_methods.rb
index 1262b2c291..ef380abfe8 100644
--- a/activerecord/lib/active_record/relation/query_methods.rb
+++ b/activerecord/lib/active_record/relation/query_methods.rb
@@ -1,9 +1,13 @@
 require 'active_support/core_ext/array/wrap'
+require 'active_support/core_ext/string/filters'
+require 'active_model/forbidden_attributes_protection'
 
 module ActiveRecord
   module QueryMethods
     extend ActiveSupport::Concern
 
+    include ActiveModel::ForbiddenAttributesProtection
+
     # WhereChain objects act as placeholder for queries in which #where does not have any parameter.
     # In this case, #where must be chained with #not to return a new relation.
     class WhereChain
@@ -91,10 +95,10 @@ module ActiveRecord
     def check_cached_relation # :nodoc:
       if defined?(@arel) && @arel
         @arel = nil
-        ActiveSupport::Deprecation.warn <<-WARNING
-Modifying already cached Relation. The cache will be reset.
-Use a cloned Relation to prevent this warning.
-WARNING
+        ActiveSupport::Deprecation.warn(<<-MSG.squish)
+          Modifying already cached Relation. The cache will be reset. Use a
+          cloned Relation to prevent this warning.
+        MSG
       end
     end
 
@@ -423,19 +427,17 @@ WARNING
     #   => SELECT "users".* FROM "users" LEFT JOIN bookmarks ON bookmarks.bookmarkable_type = 'Post' AND bookmarks.user_id = users.id
     def joins(*args)
       check_if_method_has_arguments!(:joins, args)
-
-      args.compact!
-      args.flatten!
-
       spawn.joins!(*args)
     end
 
     def joins!(*args) # :nodoc:
+      args.compact!
+      args.flatten!
       self.joins_values += args
       self
     end
 
-    def bind(value)
+    def bind(value) # :nodoc:
       spawn.bind!(value)
     end
 
@@ -574,7 +576,10 @@ WARNING
     end
 
     def where!(opts, *rest) # :nodoc:
-      references!(PredicateBuilder.references(opts)) if Hash === opts
+      if Hash === opts
+        opts = sanitize_forbidden_attributes(opts)
+        references!(PredicateBuilder.references(opts))
+      end
 
       self.where_values += build_where(opts, rest)
       self
@@ -683,11 +688,11 @@ WARNING
     #   end
     #
     def none
-      extending(NullRelation)
+      where("1=0").extending!(NullRelation)
     end
 
     def none! # :nodoc:
-      extending!(NullRelation)
+      where!("1=0").extending!(NullRelation)
     end
 
     # Sets readonly attributes for the returned relation. If value is
@@ -723,7 +728,13 @@ WARNING
     end
 
     def create_with!(value) # :nodoc:
-      self.create_with_value = value ? create_with_value.merge(value) : {}
+      if value
+        value = sanitize_forbidden_attributes(value)
+        self.create_with_value = create_with_value.merge(value)
+      else
+        self.create_with_value = {}
+      end
+
       self
     end
 
@@ -847,7 +858,7 @@ WARNING
     private
 
     def build_arel
-      arel = Arel::SelectManager.new(table.engine, table)
+      arel = Arel::SelectManager.new(table)
 
       build_joins(arel, joins_values.flatten) unless joins_values.empty?
 
@@ -868,15 +879,6 @@ WARNING
       arel.from(build_from) if from_value
       arel.lock(lock_value) if lock_value
 
-      # Reorder bind indexes if joins produced bind values
-      if arel.bind_values.any?
-        bvs = arel.bind_values + bind_values
-        arel.ast.grep(Arel::Nodes::BindParam).each_with_index do |bp, i|
-          column = bvs[i].first
-          bp.replace connection.substitute_at(column, i)
-        end
-      end
-
       arel
     end
 
@@ -905,9 +907,9 @@ WARNING
 
       where_values.reject! do |rel|
         case rel
-        when Arel::Nodes::In, Arel::Nodes::NotIn, Arel::Nodes::Equality, Arel::Nodes::NotEqual
+        when Arel::Nodes::Between, Arel::Nodes::In, Arel::Nodes::NotIn, Arel::Nodes::Equality, Arel::Nodes::NotEqual, Arel::Nodes::LessThanOrEqual, Arel::Nodes::GreaterThanOrEqual
           subrelation = (rel.left.kind_of?(Arel::Attributes::Attribute) ? rel.left : rel.right)
-          subrelation.name == target_value
+          subrelation.name.to_s == target_value
         end
       end
 
@@ -945,24 +947,21 @@ WARNING
       when String, Array
         [@klass.send(:sanitize_sql, other.empty? ? opts : ([opts] + other))]
       when Hash
-        opts = PredicateBuilder.resolve_column_aliases(klass, opts)
+        opts = predicate_builder.resolve_column_aliases(opts)
 
-        bv_len = bind_values.length
-        tmp_opts, bind_values = create_binds(opts, bv_len)
+        tmp_opts, bind_values = create_binds(opts)
         self.bind_values += bind_values
 
         attributes = @klass.send(:expand_hash_conditions_for_aggregates, tmp_opts)
-        attributes.values.grep(ActiveRecord::Relation) do |rel|
-          self.bind_values += rel.bind_values
-        end
+        add_relations_to_bind_values(attributes)
 
-        PredicateBuilder.build_from_hash(klass, attributes, table)
+        predicate_builder.build_from_hash(attributes)
       else
         [opts]
       end
     end
 
-    def create_binds(opts, idx)
+    def create_binds(opts)
       bindable, non_binds = opts.partition do |column, value|
         case value
         when String, Integer, ActiveRecord::StatementCache::Substitute
@@ -972,12 +971,23 @@ WARNING
         end
       end
 
+      association_binds, non_binds = non_binds.partition do |column, value|
+        value.is_a?(Hash) && association_for_table(column)
+      end
+
       new_opts = {}
       binds = []
 
-      bindable.each_with_index do |(column,value), index|
+      bindable.each do |(column,value)|
         binds.push [@klass.columns_hash[column.to_s], value]
-        new_opts[column] = connection.substitute_at(column, index + idx)
+        new_opts[column] = connection.substitute_at(column)
+      end
+
+      association_binds.each do |(column, value)|
+        association_relation = association_for_table(column).klass.send(:relation)
+        association_new_opts, association_bind = association_relation.send(:create_binds, value)
+        new_opts[column] = association_new_opts
+        binds += association_bind
       end
 
       non_binds.each { |column,value| new_opts[column] = value }
@@ -985,6 +995,12 @@ WARNING
       [new_opts, binds]
     end
 
+    def association_for_table(table_name)
+      table_name = table_name.to_s
+      @klass._reflect_on_association(table_name) ||
+        @klass._reflect_on_association(table_name.singularize)
+    end
+
     def build_from
       opts, name = from_value
       case opts
@@ -1041,8 +1057,13 @@ WARNING
     def build_select(arel, selects)
       if !selects.empty?
         expanded_select = selects.map do |field|
-          columns_hash.key?(field.to_s) ? arel_table[field] : field
+          if (Symbol === field || String === field) && columns_hash.key?(field.to_s)
+            arel_table[field]
+          else
+            field
+          end
         end
+
         arel.project(*expanded_select)
       else
         arel.project(@klass.arel_table[Arel.star])
@@ -1137,5 +1158,19 @@ WARNING
         raise ArgumentError, "The method .#{method_name}() must contain arguments."
       end
     end
+
+    # This function is recursive just for better readablity.
+    # #where argument doesn't support more than one level nested hash in real world.
+    def add_relations_to_bind_values(attributes)
+      if attributes.is_a?(Hash)
+        attributes.each_value do |value|
+          if value.is_a?(ActiveRecord::Relation)
+            self.bind_values += value.bind_values
+          else
+            add_relations_to_bind_values(value)
+          end
+        end
+      end
+    end
   end
 end