Skip to content

Commit

Permalink
Don't pass raw SQL when changing sort order (#1447)
Browse files Browse the repository at this point in the history 
When that code runs (ordering the index page in administrate dashboard) the
following deprecation warning is shown:

> DEPRECATION WARNING: Dangerous query method (method whose arguments are used
> as raw SQL) called with non-attribute argument(s): "[schema].[table].[column]".
> Non-attribute arguments will be disallowed in Rails 6.0. This method should
> not be called with user-provided values, such as request parameters or model
> attributes. Known-safe values can be passed by wrapping them in Arel.sql().
  • Loading branch information
@santib @nickcharlton
santib authored and nickcharlton committed Oct 30, 2019
1 parent 5d8f33d commit 0e3966d
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion lib/administrate/order.rb
View file
Expand Up @@ -11,7 +11,7 @@ def apply(relation)

order = "#{relation.table_name}.#{attribute} #{direction}"

return relation.reorder(order) if
return relation.reorder(Arel.sql(order)) if
relation.columns_hash.keys.include?(attribute.to_s)

relation
Expand Down

0 comments on commit 0e3966d

Please sign in to comment.