[我一直试图重构一个模型范围,Brakeman抱怨它,所以我认为修复它是一个好主意,因为我们被寻找我们站点漏洞的机器人扫描了。
scope :cash_deal_aggregated, -> (filter = '') {
select("deals.*")
.from([Arel.sql(
"(SELECT DISTINCT ON (COALESCE(cash_deal_details.cash_deal_id, 0.1*deals.id)) deals.*
FROM deals
INNER JOIN portfolios ON portfolios.id = deals.portfolio_id
LEFT JOIN cash_deal_details ON deals.cash_deal_detail_id = cash_deal_details.id
#{filter}) deals"
)]
)
}
上面的范围是这样使用的:
filter = "WHERE portfolios.client_id = #{client_id}"
deal_records = deal_records = Deal.cash_deal_aggregated(filter)
它也像这样使用:
deal_records = Deal.cash_deal_aggregated
最初,我试图通过直接在查询中添加filter来解决此问题,但随后出现多个错误。
感谢您对此重构的建议。
connection.quote(),以这种方法包装client_id,例如,在您的情况下,尝试此操作"WHERE portfolios.client_id = #{connection.quote(client_id)}"
我也早些时候从刹车员那里得到了这些错误,这解决了。
scope :cash_deal_aggregated, -> (client_id = nil) {
filter = "WHERE portfolios.client_id = #{connection.quote(client_id)}" if client_id
select("deals.*")
.from([Arel.sql(
"(SELECT DISTINCT ON (COALESCE(cash_deal_details.cash_deal_id, 0.1*deals.id)) deals.*
FROM deals
INNER JOIN portfolios ON portfolios.id = deals.portfolio_id
LEFT JOIN cash_deal_details ON deals.cash_deal_detail_id = cash_deal_details.id
#{filter}) deals"
)]
)
}