From 1de7df3c4a66d5fb62dfc655fda1a73c212b9ec5 Mon Sep 17 00:00:00 2001 From: Matchu Date: Sat, 15 May 2010 15:00:53 -0400 Subject: [PATCH] restrict search filters to description, species --- app/models/item.rb | 6 ++++-- spec/models/item_spec.rb | 4 ++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/app/models/item.rb b/app/models/item.rb index 1f18994e..77a7584c 100644 --- a/app/models/item.rb +++ b/app/models/item.rb @@ -66,9 +66,11 @@ class Item < ActiveRecord::Base "%,#{species.id},%", "%,#{species.id}" )) - else - column = @property ? @property : :name + elsif @property == 'description' || @property.blank? + column = @property == 'description' ? :description : :name condition = items[column].matches("%#{self}%") + else + raise ArgumentError, "Unknown search filter \"#{@property}\"" end condition = condition.not if @negative scope.where(condition) diff --git a/spec/models/item_spec.rb b/spec/models/item_spec.rb index ae033fe7..93de011b 100644 --- a/spec/models/item_spec.rb +++ b/spec/models/item_spec.rb @@ -164,5 +164,9 @@ describe Item do specify "should raise exception for a query that's too short" do lambda { Item.search('e').all }.should raise_error(ArgumentError) end + + specify "should not be able to search other attributes thru filters" do + lambda { Item.search('id:1').all }.should raise_error(ArgumentError) + end end end