X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/f8ba79b88683be984913e28677c4522ca21019aa..41f2b53c35ec79498a513cce2e2fd9019e769c70:/services/api/lib/load_param.rb

diff --git a/services/api/lib/load_param.rb b/services/api/lib/load_param.rb
index 70387fe916..3f1a3b223a 100644
--- a/services/api/lib/load_param.rb
+++ b/services/api/lib/load_param.rb
@@ -6,9 +6,12 @@
 #   @where, @filters, @limit, @offset, @orders
 module LoadParam
 
-  # Default limit on number of rows to return in a single query.
+  # Default number of rows to return in a single query.
   DEFAULT_LIMIT = 100
 
+  # Maximum number of rows to return in a single query, even if the client asks for more.
+  MAX_LIMIT = 1000
+
   # Load params[:where] into @where
   def load_where_param
     if params[:where].nil? or params[:where] == ""
@@ -34,8 +37,10 @@ module LoadParam
     elsif params[:filters].is_a? String and !params[:filters].empty?
       begin
         f = Oj.load params[:filters]
-        raise unless f.is_a? Array
-        @filters += f
+        if not f.nil?
+          raise unless f.is_a? Array
+          @filters += f
+        end
       rescue
         raise ArgumentError.new("Could not parse \"filters\" param as an array")
       end
@@ -53,7 +58,7 @@ module LoadParam
       unless params[:limit].to_s.match(/^\d+$/)
         raise ArgumentError.new("Invalid value for limit parameter")
       end
-      @limit = params[:limit].to_i
+      @limit = [params[:limit].to_i, MAX_LIMIT].min
     else
       @limit = DEFAULT_LIMIT
     end
@@ -68,7 +73,7 @@ module LoadParam
     end
 
     @orders = []
-    if params[:order]
+    if (params[:order].is_a?(Array) && !params[:order].empty?) || !params[:order].blank?
       od = []
       (case params[:order]
        when String
@@ -87,10 +92,23 @@ module LoadParam
         order = order.to_s
         attr, direction = order.strip.split " "
         direction ||= 'asc'
+        # The attr can have its table unspecified if it happens to be for the current "model_class" (the first case)
+        # or it can be fully specified with the database tablename (the second case) (e.g. "collections.name").
+        # NB that the security check for the second case table_name will not work if the model
+        # has used set_table_name to use an alternate table name from the Rails standard.
+        # I could not find a perfect way to handle this well, but ActiveRecord::Base.send(:descendants)
+        # would be a place to start if this ever becomes necessary.
         if attr.match /^[a-z][_a-z0-9]+$/ and
             model_class.columns.collect(&:name).index(attr) and
             ['asc','desc'].index direction.downcase
           @orders << "#{table_name}.#{attr} #{direction.downcase}"
+        elsif attr.match /^([a-z][_a-z0-9]+)\.([a-z][_a-z0-9]+)$/ and
+            ['asc','desc'].index(direction.downcase) and
+            ActiveRecord::Base.connection.tables.include?($1) and
+            $1.classify.constantize.columns.collect(&:name).index($2)
+          # $1 in the above checks references the first match from the regular expression, which is expected to be the database table name
+          # $2 is of course the actual database column name
+          @orders << "#{attr} #{direction.downcase}"
         end
       end
     end
@@ -124,5 +142,4 @@ module LoadParam
     @distinct = false if (params[:distinct] == false || params[:distinct] == "false")
   end
 
-
 end