From 1de7df3c4a66d5fb62dfc655fda1a73c212b9ec5 Mon Sep 17 00:00:00 2001
From: Matchu <matchu1993@gmail.com>
Date: Sat, 15 May 2010 15:00:53 -0400
Subject: [PATCH] restrict search filters to description, species

---
 app/models/item.rb       | 6 ++++--
 spec/models/item_spec.rb | 4 ++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/app/models/item.rb b/app/models/item.rb
index 1f18994e..77a7584c 100644
--- a/app/models/item.rb
+++ b/app/models/item.rb
@@ -66,9 +66,11 @@ class Item < ActiveRecord::Base
           "%,#{species.id},%",
           "%,#{species.id}"
         ))
-      else
-        column = @property ? @property : :name
+      elsif @property == 'description' || @property.blank?
+        column = @property == 'description' ? :description : :name
         condition = items[column].matches("%#{self}%")
+      else
+        raise ArgumentError, "Unknown search filter \"#{@property}\""
       end
       condition = condition.not if @negative
       scope.where(condition)
diff --git a/spec/models/item_spec.rb b/spec/models/item_spec.rb
index ae033fe7..93de011b 100644
--- a/spec/models/item_spec.rb
+++ b/spec/models/item_spec.rb
@@ -164,5 +164,9 @@ describe Item do
     specify "should raise exception for a query that's too short" do
       lambda { Item.search('e').all }.should raise_error(ArgumentError)
     end
+    
+    specify "should not be able to search other attributes thru filters" do
+      lambda { Item.search('id:1').all }.should raise_error(ArgumentError)
+    end
   end
 end