Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ransack 4.0 allowlist be an optional config #1482

Open
gvkhna opened this issue Mar 17, 2024 · 5 comments
Open

Ransack 4.0 allowlist be an optional config #1482

gvkhna opened this issue Mar 17, 2024 · 5 comments

Comments

@gvkhna
Copy link

gvkhna commented Mar 17, 2024

This allowlist enforcement actually needs to be able to be turned off. I understand the security protections trying to be put in place by this change. But for many apps it's not even needed, internal only apps that aren't even internet accessible don't need additional any additional attention. I can understand default requiring this but a simple config of some kind to turn it off would be needed as well.

TLDR: This was a breaking change and instituted quite abruptly, and so everyone probably is just pinning to the older version.

@sk-
Copy link

sk- commented Mar 26, 2024

Another reason to offer an opt out mechanism is the performance degradation reported in #1462

@Tmpv
Copy link

Tmpv commented Apr 3, 2024

The old behaviour is quite simple to implement and is actually mentioned in one of the tests implementing the new requirement.

But this is not mentioned in the official documentation.

@gvkhna
Copy link
Author

gvkhna commented Apr 3, 2024

@Tmpv Am i missing something, I added that to ApplicationRecord and I get undefined method authorizable_ransackable_attributes on a class that descends from ApplicationRecord?

@MmKolodziej
Copy link

There's also so many other access control mechanisms that work on a different layer than models that developers might choose to utilize. Strong params, explicitly defined filters in ActiveAdmin (and I promise that so many application will only use Ransack as a dependency of ActiveAdmin), form objects with params validation, etc.

While giving the option to perform the validation inside models is great, there really should be a simple way to opt out of it.

@MmKolodziej
Copy link

Furthermore, if there are gems which define AR models (e.g. mobility defines them dynamically), they might inherit directly from ActiveRecord::Base, leaving no good place to define the necessary methods.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants