Avoid dangerous argument warning under Rails 5.2

Rails 5.2 doesn't allow passing raw strings to order (to avoid accidentally allowing user-provided strings)
castlery · Apr 15, 2022 · f786e85 · f786e85
1 parent 7be13e0
commit f786e85
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 4 deletions.
diff --git a/core/app/models/spree/order.rb b/core/app/models/spree/order.rb
@@ -142,7 +142,7 @@ def states
     scope :by_store, ->(store) { where(store_id: store.id) }
 
     # shows completed orders first, by their completed_at date, then uncompleted orders by their created_at
-    scope :reverse_chronological, -> { order('spree_orders.completed_at IS NULL', completed_at: :desc, created_at: :desc) }
+    scope :reverse_chronological, -> { order(Arel.sql('spree_orders.completed_at IS NULL'), completed_at: :desc, created_at: :desc) }
     scope :unreturned_exchange, -> { joins(:shipments).where('spree_orders.created_at > spree_shipments.created_at') }
 
     def self.by_customer(customer)

diff --git a/core/app/models/spree/price.rb b/core/app/models/spree/price.rb
@@ -18,7 +18,7 @@ class Price < Spree::Base
     validates :currency, inclusion: { in: ::Money::Currency.all.map(&:iso_code), message: :invalid_code }
     validates :country, presence: true, unless: -> { for_any_country? }
 
-    scope :currently_valid, -> { order("country_iso IS NULL, updated_at DESC, id DESC") }
+    scope :currently_valid, -> { order(Arel.sql("country_iso IS NULL, updated_at DESC, id DESC")) }
     scope :for_master, -> { joins(:variant).where(spree_variants: { is_master: true }) }
     scope :for_variant, -> { joins(:variant).where(spree_variants: { is_master: false }) }
     scope :for_any_country, -> { where(country: nil) }

diff --git a/core/app/models/spree/taxonomy.rb b/core/app/models/spree/taxonomy.rb
@@ -9,7 +9,7 @@ class Taxonomy < Spree::Base
 
     after_save :set_name
 
-    default_scope -> { order(:position) }
+    default_scope -> { order(position: :asc) }
 
     private
 

diff --git a/core/app/models/spree/variant/scopes.rb b/core/app/models/spree/variant/scopes.rb
@@ -2,7 +2,7 @@ module Spree
   class Variant < Spree::Base
     # FIXME: WARNING tested only under sqlite and postgresql
     scope :descend_by_popularity, -> {
-      order("COALESCE((SELECT COUNT(*) FROM  #{LineItem.quoted_table_name} GROUP BY #{LineItem.quoted_table_name}.variant_id HAVING #{LineItem.quoted_table_name}.variant_id = #{Variant.quoted_table_name}.id), 0) DESC")
+      order(Arel.sql("COALESCE((SELECT COUNT(*) FROM  #{Spree::LineItem.quoted_table_name} GROUP BY #{Spree::LineItem.quoted_table_name}.variant_id HAVING #{Spree::LineItem.quoted_table_name}.variant_id = #{Spree::Variant.quoted_table_name}.id), 0) DESC"))
     }
 
     class << self
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,7 +9,7 @@ class Taxonomy < Spree::Base @@
         after_save :set_name
-        default_scope -> { order(:position) }
+        default_scope -> { order(position: :asc) }
         private
@@ Expand Down @@