Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix deprecation warning for Spree::Shipment#reverse_chronological scope #2921

Merged
merged 2 commits into from
Nov 22, 2018
Merged

Fix deprecation warning for Spree::Shipment#reverse_chronological scope #2921

merged 2 commits into from
Nov 22, 2018

Conversation

aitbw
Copy link
Contributor

@aitbw aitbw commented Oct 19, 2018

Hi everyone! 👋

This is a small PR to fix a deprecation warning that shows up when running certain tests. The message goes like this:

DEPRECATION WARNING: Dangerous query method (method whose arguments are used as raw
SQL) called with non-attribute argument(s): "coalesce(spree_shipments.shipped_at,
spree_shipments.created_at) desc". Non-attribute arguments will be disallowed in Rails 6.0.
This method should not be called with user-provided values, such as request parameters or
model attributes. Known-safe values can be passed by wrapping them in Arel.sql().
(called from block in <class::Shipment> at /solidus/core/app/models/spree/shipment.rb:36)

From what I can see, the attributes used in here shouldn't generate any problems as they just store timestamps and the user is not passing any parameters to said query so SQL injection is unlikely.

Running the full test suite following this patch doesn't show the aforementioned warning anymore. This PR also future proofs this scope for an eventual Rails 6 update.

Let me know what you think!

@potomak potomak mentioned this pull request Oct 19, 2018
Closed
kennyadsl
kennyadsl approved these changes Oct 22, 2018
View reviewed changes
Copy link
Member

@kennyadsl kennyadsl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Just left a (non-blocking) possible improvement, let me know if you think it makes sense to do that here

core/app/models/spree/shipment.rb Outdated Show resolved Hide resolved
jacobherrington
jacobherrington approved these changes Nov 22, 2018
View reviewed changes
Copy link
Contributor

@jacobherrington jacobherrington left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense to me, good catch @aitbw!

@kennyadsl kennyadsl merged commit b00b007 into solidusio:master Nov 22, 2018
@aitbw aitbw deleted the nebulab/fix-dangerous-query-method branch November 22, 2018 12:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kennyadsl kennyadsl kennyadsl approved these changes

@jacobherrington jacobherrington jacobherrington approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aitbw @kennyadsl @jacobherrington