Class: ActiveElement::Components::TextSearch::Component

Inherits:

Object

Object
ActiveElement::Components::TextSearch::Component

show all

Defined in:: lib/active_element/components/text_search/component.rb

Overview

Used by auto-complete search field for executing a text search on the provided model and attributes.

The user must have a permission configured for each field used in the search:

`can_text_search_<application_name>_<models>_with_<field>`

A model must call ‘authorize_active_element_text_search` to enable text search. e.g.:

class MyModel < ApplicationRecord

authorize_active_element_text_search with: [:id, :email],
                                     providing: [:id, :first_name, :last_name, :email]

end

This allows searching using the ‘name` `email` columns and permits returning each matching record’s ‘id`, `first_name`, `last_name`, and `email` values.

This complexity exists to ensure that authenticated users can only retrieve specific database values that are explicitly configured, as well as ensuring that users cannot search arbitrary columns. Requiring this logic in the model is intended to reduce likelihood of DoS vulnerabilities if users are able to search unindexed columns.

Note that the ‘/_active_element_text_search` endpoint added to each controller necessarily receives arbitrary arguments. Configuring a form to only fetch certain values does not restrict potential parameters, so a strict permissions and model configuration system is required to govern access to database queries.

Constant Summary collapse

DEFAULT_LIMIT =

Instance Method Summary collapse

#initialize(controller:) ⇒ Component constructor

A new instance of Component.
#response ⇒ Object

Constructor Details

#initialize(controller:) ⇒ `Component`

Returns a new instance of Component.

# File 'lib/active_element/components/text_search/component.rb', line 35

def initialize(controller:)
  @controller = controller
  @params = controller.params
end

Instance Method Details

#response ⇒ `Object`

# File 'lib/active_element/components/text_search/component.rb', line 40

def response
  return unverified_parameters unless verified_parameters?
  return unverified_model unless verified_model?
  return unauthorized unless authorization.authorized?

  { json: { results: results, request_id: controller.params[:request_id] }, status: :created }
end