From 50103b86e6f5e6aa82448d6bfdafeac34e0c8caa Mon Sep 17 00:00:00 2001
From: Rick Olson <technoweenie@gmail.com>
Date: Sat, 18 Mar 2006 18:01:50 +0000
Subject: fixed has_many :conditions sanitizing (closes #4278)
 [hakuja@hakuja.net]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@3935 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 activerecord/lib/active_record/associations.rb                   | 4 ++--
 activerecord/lib/active_record/associations/association_proxy.rb | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'activerecord/lib')

diff --git a/activerecord/lib/active_record/associations.rb b/activerecord/lib/active_record/associations.rb
index 4f8f41fcea..a982279b03 100755
--- a/activerecord/lib/active_record/associations.rb
+++ b/activerecord/lib/active_record/associations.rb
@@ -1244,7 +1244,7 @@ module ActiveRecord
                   case
                     when reflection.macro == :has_many && reflection.options[:through]
                       through_reflection = parent.active_record.reflect_on_association(reflection.options[:through])
-                      through_conditions = through_reflection.options[:conditions] ? "AND #{eval("%(#{through_reflection.options[:conditions]})")}" : ''
+                      through_conditions = through_reflection.options[:conditions] ? "AND #{eval("%(#{through_reflection.active_record.send :sanitize_sql, through_reflection.options[:conditions]})")}" : ''
                       if through_reflection.options[:as] # has_many :through against a polymorphic join
                         polymorphic_foreign_key  = through_reflection.options[:as].to_s + '_id'
                         polymorphic_foreign_type = through_reflection.options[:as].to_s + '_type'
@@ -1296,7 +1296,7 @@ module ActiveRecord
                 aliased_table_name, 
                 reflection.active_record.connection.quote_column_name(reflection.active_record.inheritance_column), 
                 klass.quote(klass.name)] if sti?
-              join << "AND #{eval("%(#{reflection.options[:conditions]})")} " if reflection.options[:conditions]
+              join << "AND #{eval("%(#{reflection.active_record.send :sanitize_sql, reflection.options[:conditions]})")} " if reflection.options[:conditions]
               join
             end
             
diff --git a/activerecord/lib/active_record/associations/association_proxy.rb b/activerecord/lib/active_record/associations/association_proxy.rb
index 4ddeb84a58..583f8c04b1 100644
--- a/activerecord/lib/active_record/associations/association_proxy.rb
+++ b/activerecord/lib/active_record/associations/association_proxy.rb
@@ -27,7 +27,7 @@ module ActiveRecord
       end
       
       def conditions
-        @conditions ||= eval("%(#{@reflection.options[:conditions]})") if @reflection.options[:conditions]
+        @conditions ||= eval("%(#{@reflection.active_record.send :sanitize_sql, @reflection.options[:conditions]})") if @reflection.options[:conditions]
       end
       alias :sql_conditions :conditions
       
-- 
cgit v1.2.3