X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/943feeec776bb75c685cbdee9466f8db3cdf5da7..41f2b53c35ec79498a513cce2e2fd9019e769c70:/services/api/lib/load_param.rb diff --git a/services/api/lib/load_param.rb b/services/api/lib/load_param.rb index e01063d153..3f1a3b223a 100644 --- a/services/api/lib/load_param.rb +++ b/services/api/lib/load_param.rb @@ -6,9 +6,12 @@ # @where, @filters, @limit, @offset, @orders module LoadParam - # Default limit on number of rows to return in a single query. + # Default number of rows to return in a single query. DEFAULT_LIMIT = 100 + # Maximum number of rows to return in a single query, even if the client asks for more. + MAX_LIMIT = 1000 + # Load params[:where] into @where def load_where_param if params[:where].nil? or params[:where] == "" @@ -34,8 +37,10 @@ module LoadParam elsif params[:filters].is_a? String and !params[:filters].empty? begin f = Oj.load params[:filters] - raise unless f.is_a? Array - @filters += f + if not f.nil? + raise unless f.is_a? Array + @filters += f + end rescue raise ArgumentError.new("Could not parse \"filters\" param as an array") end @@ -53,7 +58,7 @@ module LoadParam unless params[:limit].to_s.match(/^\d+$/) raise ArgumentError.new("Invalid value for limit parameter") end - @limit = params[:limit].to_i + @limit = [params[:limit].to_i, MAX_LIMIT].min else @limit = DEFAULT_LIMIT end @@ -68,21 +73,73 @@ module LoadParam end @orders = [] - if params[:order] - params[:order].split(',').each do |order| + if (params[:order].is_a?(Array) && !params[:order].empty?) || !params[:order].blank? + od = [] + (case params[:order] + when String + if params[:order].starts_with? '[' + od = Oj.load(params[:order]) + raise unless od.is_a? Array + od + else + params[:order].split(',') + end + when Array + params[:order] + else + [] + end).each do |order| + order = order.to_s attr, direction = order.strip.split " " direction ||= 'asc' + # The attr can have its table unspecified if it happens to be for the current "model_class" (the first case) + # or it can be fully specified with the database tablename (the second case) (e.g. "collections.name"). + # NB that the security check for the second case table_name will not work if the model + # has used set_table_name to use an alternate table name from the Rails standard. + # I could not find a perfect way to handle this well, but ActiveRecord::Base.send(:descendants) + # would be a place to start if this ever becomes necessary. if attr.match /^[a-z][_a-z0-9]+$/ and model_class.columns.collect(&:name).index(attr) and ['asc','desc'].index direction.downcase @orders << "#{table_name}.#{attr} #{direction.downcase}" + elsif attr.match /^([a-z][_a-z0-9]+)\.([a-z][_a-z0-9]+)$/ and + ['asc','desc'].index(direction.downcase) and + ActiveRecord::Base.connection.tables.include?($1) and + $1.classify.constantize.columns.collect(&:name).index($2) + # $1 in the above checks references the first match from the regular expression, which is expected to be the database table name + # $2 is of course the actual database column name + @orders << "#{attr} #{direction.downcase}" end end end + if @orders.empty? - @orders << default_orders + @orders = default_orders + end + + case params[:select] + when Array + @select = params[:select] + when String + begin + @select = Oj.load params[:select] + raise unless @select.is_a? Array or @select.nil? + rescue + raise ArgumentError.new("Could not parse \"select\" param as an array") + end end - end + if @select + # Any ordering columns must be selected when doing select, + # otherwise it is an SQL error, so filter out invaliding orderings. + @orders.select! { |o| + # match select column against order array entry + @select.select { |s| /^#{table_name}.#{s}( (asc|desc))?$/.match o }.any? + } + end + + @distinct = true if (params[:distinct] == true || params[:distinct] == "true") + @distinct = false if (params[:distinct] == false || params[:distinct] == "false") + end end