X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/f71c9e59bfff91da4b89050ceae27dbe3edcdb6c..eff37344f3cecd5aed259c9852aca4bdcdfb6922:/services/api/lib/load_param.rb diff --git a/services/api/lib/load_param.rb b/services/api/lib/load_param.rb index 70387fe916..35f1d0b640 100644 --- a/services/api/lib/load_param.rb +++ b/services/api/lib/load_param.rb @@ -6,9 +6,12 @@ # @where, @filters, @limit, @offset, @orders module LoadParam - # Default limit on number of rows to return in a single query. + # Default number of rows to return in a single query. DEFAULT_LIMIT = 100 + # Maximum number of rows to return in a single query, even if the client asks for more. + MAX_LIMIT = 1000 + # Load params[:where] into @where def load_where_param if params[:where].nil? or params[:where] == "" @@ -34,18 +37,16 @@ module LoadParam elsif params[:filters].is_a? String and !params[:filters].empty? begin f = Oj.load params[:filters] - raise unless f.is_a? Array - @filters += f + if not f.nil? + raise unless f.is_a? Array + @filters += f + end rescue raise ArgumentError.new("Could not parse \"filters\" param as an array") end end end - def default_orders - ["#{table_name}.modified_at desc"] - end - # Load params[:limit], params[:offset] and params[:order] # into @limit, @offset, @orders def load_limit_offset_order_params @@ -53,7 +54,7 @@ module LoadParam unless params[:limit].to_s.match(/^\d+$/) raise ArgumentError.new("Invalid value for limit parameter") end - @limit = params[:limit].to_i + @limit = [params[:limit].to_i, MAX_LIMIT].min else @limit = DEFAULT_LIMIT end @@ -68,7 +69,7 @@ module LoadParam end @orders = [] - if params[:order] + if (params[:order].is_a?(Array) && !params[:order].empty?) || !params[:order].blank? od = [] (case params[:order] when String @@ -87,17 +88,32 @@ module LoadParam order = order.to_s attr, direction = order.strip.split " " direction ||= 'asc' + # The attr can have its table unspecified if it happens to be for the current "model_class" (the first case) + # or it can be fully specified with the database tablename (the second case) (e.g. "collections.name"). + # NB that the security check for the second case table_name will not work if the model + # has used set_table_name to use an alternate table name from the Rails standard. + # I could not find a perfect way to handle this well, but ActiveRecord::Base.send(:descendants) + # would be a place to start if this ever becomes necessary. if attr.match /^[a-z][_a-z0-9]+$/ and model_class.columns.collect(&:name).index(attr) and ['asc','desc'].index direction.downcase @orders << "#{table_name}.#{attr} #{direction.downcase}" + elsif attr.match /^([a-z][_a-z0-9]+)\.([a-z][_a-z0-9]+)$/ and + ['asc','desc'].index(direction.downcase) and + ActiveRecord::Base.connection.tables.include?($1) and + $1.classify.constantize.columns.collect(&:name).index($2) + # $1 in the above checks references the first match from the regular expression, which is expected to be the database table name + # $2 is of course the actual database column name + @orders << "#{attr} #{direction.downcase}" end end end - if @orders.empty? - @orders = default_orders - end + # If the client-specified orders don't amount to a full ordering + # (e.g., [] or ['owner_uuid desc']), fall back on the default + # orders to ensure repeating the same request (possibly with + # different limit/offset) will return records in the same order. + @orders += model_class.default_orders case params[:select] when Array @@ -124,5 +140,4 @@ module LoadParam @distinct = false if (params[:distinct] == false || params[:distinct] == "false") end - end