filter_out_illegal_query_filter_values.patch

Etienne Massip, 2011-10-19 20:20

Download (1.98 KB)

View differences:

app/models/query.rb (working copy)
333 333
    available_filters[field][:type] if available_filters.has_key?(field)
334 334
  end
335 335

  
336
  def allowed_values_for(field)
337
    if available_filters.has_key?(field)
338
      values = available_filters[field][:values]
339
      return values.first.is_a?(Array) ? values.collect {|val| val[1]} : values if values.present? && values.any?
340
    end
341
  end
342

  
336 343
  def operator_for(field)
337 344
    has_filter?(field) ? filters[field][:operator] : nil
338 345
  end
......
649 656
    sql = ''
650 657
    case operator
651 658
    when "="
659
      value &= allowed_values_for(field) if allowed_values_for(field).present?
652 660
      if value.any?
653 661
        case type_for(field)
654 662
        when :date, :date_past
......
665 673
        sql = "1=0"
666 674
      end
667 675
    when "!"
676
      value &= allowed_values_for(field) if allowed_values_for(field).present?
668 677
      if value.any?
669 678
        sql = "(#{db_table}.#{db_field} IS NULL OR #{db_table}.#{db_field} NOT IN (" + value.collect{|val| "'#{connection.quote_string(val)}'"}.join(",") + "))"
670 679
      else
test/functional/issues_controller_test.rb (working copy)
162 162
        '!~This is part of a subject' => { :op => '!~', :values => ['This is part of a subject'] }},
163 163
      'tracker_id' => {
164 164
        '3' => { :op => '=', :values => ['3'] },
165
        '=3' => { :op => '=', :values => ['3'] }},
165
        '=3' => { :op => '=', :values => ['3'] },
166
        '*' => { :op => '=', :values => ['*'] },
167
        '!*' => { :op => '!', :values => ['*'] }},
166 168
      'start_date' => {
167 169
        '2011-10-12' => { :op => '=', :values => ['2011-10-12'] },
168 170
        '=2011-10-12' => { :op => '=', :values => ['2011-10-12'] },