Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Moved] Improve variant and product autocomplete functions flexibility with Ransack #4733

Closed
wants to merge 3 commits into from
Closed

[Moved] Improve variant and product autocomplete functions flexibility with Ransack #4733

wants to merge 3 commits into from

Conversation

RyanofWoods
Copy link
Contributor

@RyanofWoods RyanofWoods commented Nov 22, 2022
edited
Loading

Summary

From this change, when initializing a productAutocomplete, a callback can be given to the searchCallback option. This callback should return a hash object that will be used to merge onto the existing parameters in the select2 ajax function. The callback also allows for one argument, which is the string typed in the select2 (term). Custom Ransack can be achieved by defining this option with the Ransack query on the q key.

$('#product-dropdown').productAutocomplete({
  multiple: false,
  searchCallback: (searchString) => ({
    q: {
      name_cont: searchString,
      available_on_not_null: true
    })
  }
})

Similar behavior was already existing on the variantAutocomplete, however accepted a simple hash object instead of a function, and so one didn't have access to the select2 search term, so this was improved.

$('#variant-dropdown).variantAutocomplete({
  searchCallback: (searchString) => ({
    q: {
      variant_search_term: null,
      sku_cont: searchString
    })
  }
})

Checklist

Check out our PR guidelines for more details.

The following are mandatory for all PRs:

  • I have written a thorough PR description.
  • I have kept my commits small and atomic.
  • I have used clear, explanatory commit messages.

The following are not always needed (cross them out if they are not):

  • I have added automated tests to cover my changes.
    - [ ] I have attached screenshots to demo visual changes.
    - [ ] I have opened a PR to update the guides.
    - [ ] I have updated the README to account for my changes.

Autocompletes are still working:

Variant

Orders#index

Screenshot 2022-11-28 at 14 10 33

Orders#edit

Screenshot 2022-11-28 at 14 10 45

Product

Promotion Rules - Product

Screenshot 2022-11-28 at 14 12 10

Promotion Rules - Option Values

Screenshot 2022-11-28 at 14 12 47

@RyanofWoods RyanofWoods marked this pull request as draft November 22, 2022 11:06
@github-actions github-actions bot added the changelog:solidus_backend Changes to the solidus_backend gem label Nov 22, 2022
@RyanofWoods RyanofWoods marked this pull request as ready for review November 22, 2022 13:27
@kennyadsl
Copy link
Member

@RyanofWoods nice, can you please show us the way to use this custom query as well?

@RyanofWoods RyanofWoods force-pushed the ryanofwoods/make-product-autocomplete-more-reusable branch from 9a96c36 to dbd35b2 Compare November 22, 2022 15:33
@RyanofWoods
Copy link
Contributor Author

I added an example to the description @kennyadsl 👍 I also changed the option variable name to use lower camelcase
ransack_q_callback -> ransackQCallback

@waiting-for-dev
Copy link
Contributor

waiting-for-dev commented Nov 23, 2022
edited
Loading

Thanks, @RyanofWoods!! ❤️ A couple of questions/suggestions:

  • Can you point us to the point where it's sent to the database? I'm worried about possible SQL injection attacks.
  • Would it be possible to add a test for it?
  • In the boy scout spirit, adding a few docs on top of the file would be nice.

tvdeyen
tvdeyen reviewed Nov 23, 2022
View reviewed changes
Copy link
Member

@tvdeyen tvdeyen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Loving that! Thanks. I have some doubts about the name and it would be nice to fix the variantAutocomplete as well :)

backend/app/assets/javascripts/spree/backend/product_picker.js Outdated Show resolved Hide resolved
@RyanofWoods
Copy link
Contributor Author

Thanks, @RyanofWoods!! ❤️ A couple of questions/suggestions:

  • Can you point us to the point where it's sent to the database? I'm worried about possible XSS attacks.
  • Would it be possible to add a test for it?
  • In the boy scout spirit, adding a few docs on top of the file would be nice.

Thanks for your feedback @waiting-for-dev ❤️

I will happily add tests and docs for it after discussing some more 👍

Here's the endpoint it touches:

solidus/backend/app/controllers/spree/admin/search_controller.rb

Line 29 in d582f54

@products = Spree::Product.ransack(params[:q]).result

Security of this is a great point, this change would make it highly dependant on how well .ransack protects attacks. We could perhaps add a configuration such as allowed_product_autocomplete_rancsack_matchers, and then do param filters in the controller, WDYT?

@RyanofWoods
Copy link
Contributor Author

RyanofWoods commented Nov 23, 2022
edited
Loading

On further inspection, if there would be any security issues with allowing full control of parameters to ransack, we would have this problem right now with the variantAutocomplete:

solidus/api/app/controllers/spree/api/variants_controller.rb

Lines 37 to 42 in d582f54

if params[:variant_search_term]
Spree::Config.variant_search_class.new(
params[:variant_search_term], scope: scope
).results.includes(include_list)
else
scope.includes(include_list).ransack(params[:q]).result

@waiting-for-dev
Copy link
Contributor

Security of this is a great point, this change would make it highly dependant on how well .ransack protects attacks

Ok, it all boils down to the regular usage of Ransack, so we should be fine.

@waiting-for-dev waiting-for-dev added the type:enhancement Proposed or newly added feature label Nov 23, 2022
@codecov
Copy link

codecov bot commented Nov 25, 2022
edited
Loading

Codecov Report

Merging #4733 (d582f54) into master (efe2b3a) will not change coverage.
The diff coverage is n/a.

❗ Current head d582f54 differs from pull request most recent head c89a605. Consider uploading reports for the commit c89a605 to get more accurate results

@@           Coverage Diff           @@
##           master    #4733   +/-   ##
=======================================
  Coverage   86.14%   86.14%           
=======================================
  Files         578      578           
  Lines       14654    14654           
=======================================
  Hits        12623    12623           
  Misses       2031     2031

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@RyanofWoods RyanofWoods force-pushed the ryanofwoods/make-product-autocomplete-more-reusable branch from dbd35b2 to 222767d Compare November 28, 2022 13:27
@github-actions github-actions bot added the changelog:solidus_api Changes to the solidus_api gem label Nov 28, 2022
@RyanofWoods RyanofWoods force-pushed the ryanofwoods/make-product-autocomplete-more-reusable branch from 222767d to 8c319fe Compare November 28, 2022 13:35
@RyanofWoods
Copy link
Contributor Author

Specs are not getting actioned here @waiting-for-dev 🤔

@RyanofWoods RyanofWoods changed the title Allow backend productAutocomplete to support a custom ransack query Improve variant and product autocomplete functions flexibility with Ransack Nov 28, 2022
@waiting-for-dev
Copy link
Contributor

Specs are not getting actioned here @waiting-for-dev 🤔

Can you git commit --amend --allow-empty & git push -f? I've seen this kind of hiccup in the past 🤷

@RyanofWoods RyanofWoods force-pushed the ryanofwoods/make-product-autocomplete-more-reusable branch from 8c319fe to 38c0a8f Compare November 28, 2022 15:15
@RyanofWoods
Copy link
Contributor Author

Done this twice now, but same thing @waiting-for-dev 🤷

@RyanofWoods RyanofWoods force-pushed the ryanofwoods/make-product-autocomplete-more-reusable branch from 38c0a8f to b02bc2c Compare November 28, 2022 16:24
@waiting-for-dev
Copy link
Contributor

Done this twice now, but same thing @waiting-for-dev 🤷

For some reason, you are unauthorized to run the build. Let's investigate that further. For now, I re-run CI and we can see the results. BUT, same that master, it's failing because the image suddenly can't find the libvips package 🤷

@RyanofWoods RyanofWoods force-pushed the ryanofwoods/make-product-autocomplete-more-reusable branch from d5cb2fd to b02bc2c Compare December 1, 2022 06:48
@waiting-for-dev
Copy link
Contributor

Great, @RyanofWoods, you're no longer unauthorized! 🥳 Just rebase from master to fix the CI errors.

@RyanofWoods
Allow productAutocomplete to support a custom ransack query
924008d 
From this change, when initializing a productAutocomplete, a function
can be given to the searchCallback option argument. This callback should
return an object (hash), and accepts a parameter which is the currently
typed string in the autocomplete select2. The "q" key on the returned
hash will be given to Ransack.
@RyanofWoods
Improve variantAutocomplete to be more reusable
f66dba7 
From this change, when initializing a variantAutocomplete, a function
can be given to the searchCallback option argument.

Before, variantAutocomplete accepted a object (hash) searchOptions
argument, now, instead, searchCallback should be used and given a
function that returns an object (hash). It accepts a parameter which is
the currently typed string in the autocomplete select2. The "q" key on
the returned hash will be given to Ransack if the variant_search_term
key is overridden with a falsy value.

For compatibility, if searchOptions was being used, searchCallback can
just return the same hash.
@RyanofWoods RyanofWoods force-pushed the ryanofwoods/make-product-autocomplete-more-reusable branch from b02bc2c to e021613 Compare December 2, 2022 07:21
@RyanofWoods RyanofWoods requested a review from a team as a code owner December 2, 2022 07:21
@RyanofWoods
Copy link
Contributor Author

Nope, happened again @waiting-for-dev, wondering it's something to do with force pushing or that I am pushing to my own fork 🤔

@RyanofWoods RyanofWoods force-pushed the ryanofwoods/make-product-autocomplete-more-reusable branch from e021613 to b969610 Compare December 5, 2022 03:38
@RyanofWoods
Improve VariantsController request spec realism
c89a605 
For this endpoint use the q parameter with Ransack variant_search_term
has to be a falsy value/not exist. By default, variantAutocomplete has
variant_search_term defined and needs to be overriden if ransack wants
to be used.
@RyanofWoods RyanofWoods force-pushed the ryanofwoods/make-product-autocomplete-more-reusable branch from b969610 to c89a605 Compare December 5, 2022 10:47
@RyanofWoods
Copy link
Contributor Author

I couldn't get the CircleCI tests to trigger 🤷 So I made a new PR via the Nebulab fork which did the trick.
#4767

@tvdeyen @waiting-for-dev

@RyanofWoods RyanofWoods closed this Dec 5, 2022
@RyanofWoods RyanofWoods changed the title Improve variant and product autocomplete functions flexibility with Ransack [Moved] Improve variant and product autocomplete functions flexibility with Ransack Dec 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvdeyen tvdeyen tvdeyen left review comments

Assignees
No one assigned
Labels
changelog:solidus_api Changes to the solidus_api gem changelog:solidus_backend Changes to the solidus_backend gem type:enhancement Proposed or newly added feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@RyanofWoods @kennyadsl @waiting-for-dev @tvdeyen