Other notes
Ransack Aliases
You can customize the attribute names for your Ransack searches by using a
ransack_alias
. This is particularly useful for long attribute names that are
necessary when querying associations or multiple columns.
class Post < ActiveRecord::Base
belongs_to :author
# Abbreviate :author_first_name_or_author_last_name to :author
ransack_alias :author, :author_first_name_or_author_last_name
end
Now, rather than using :author_first_name_or_author_last_name_cont
in your
form, you can simply use :author_cont
. This serves to produce more expressive
query parameters in your URLs.
<%= search_form_for @q do |f| %>
<%= f.label :author_cont %>
<%= f.search_field :author_cont %>
<% end %>
You can also use ransack_alias
for sorting.
class Post < ActiveRecord::Base
belongs_to :author
# Abbreviate :author_first_name to :author
ransack_alias :author, :author_first_name
end
Now, you can use :author
instead of :author_first_name
in a sort_link
.
<%= sort_link(@q, :author) %>
Note that using :author_first_name_or_author_last_name_cont
would produce an invalid sql query. In those cases, Ransack ignores the sorting clause.
Problem with DISTINCT selects
If passed distinct: true
, result
will generate a SELECT DISTINCT
to
avoid returning duplicate rows, even if conditions on a join would otherwise
result in some. It generates the same SQL as calling uniq
on the relation.
Please note that for many databases, a sort on an associated table's columns
may result in invalid SQL with distinct: true
-- in those cases, you
will need to modify the result as needed to allow these queries to work.
For example, you could call joins and includes on the result which has the effect of adding those tables columns to the select statement, overcoming the issue, like so:
def index
@q = Person.ransack(params[:q])
@people = @q.result(distinct: true)
.includes(:articles)
.joins(:articles)
.page(params[:page])
end
If the above doesn't help, you can also use ActiveRecord's select
query
to explicitly add the columns you need, which brute force's adding the
columns you need that your SQL engine is complaining about, you need to
make sure you give all of the columns you care about, for example:
def index
@q = Person.ransack(params[:q])
@people = @q.result(distinct: true)
.select('people.*, articles.name, articles.description')
.page(params[:page])
end
Another method to approach this when using Postgresql is to use ActiveRecords's .includes
in combination with .group
instead of distinct: true
.
For example:
def index
@q = Person.ransack(params[:q])
@people = @q.result
.group('persons.id')
.includes(:articles)
.page(params[:page])
end
A final way of last resort is to call to_a.uniq
on the collection at the end
with the caveat that the de-duping is taking place in Ruby instead of in SQL,
which is potentially slower and uses more memory, and that it may display
awkwardly with pagination if the number of results is greater than the page size.
For example:
def index
@q = Person.ransack(params[:q])
@people = @q.result.includes(:articles).page(params[:page]).to_a.uniq
end
PG::UndefinedFunction: ERROR: could not identify an equality operator for type json
If you get the above error while using distinct: true
that means that
one of the columns that Ransack is selecting is a json
column.
PostgreSQL does not provide comparison operators for the json
type. While
it is possible to work around this, in practice it's much better to convert those
to jsonb
, as recommended by the PostgreSQL documentation.
Authorization (allowlisting/denylisting)
By default, searching and sorting are authorized on any column of your model and no class methods/scopes are whitelisted.
Ransack adds four methods to ActiveRecord::Base
that you can redefine as
class methods in your models to apply selective authorization:
ransackable_attributes
ransackable_associations
ransackable_scopes
ransortable_attributes
Here is how these four methods are implemented in Ransack:
# `ransackable_attributes` by default returns all column names
# and any defined ransackers as an array of strings.
# For overriding with a whitelist array of strings.
#
def ransackable_attributes(auth_object = nil)
column_names + _ransackers.keys
end
# `ransackable_associations` by default returns the names
# of all associations as an array of strings.
# For overriding with a whitelist array of strings.
#
def ransackable_associations(auth_object = nil)
reflect_on_all_associations.map { |a| a.name.to_s }
end
# `ransortable_attributes` by default returns the names
# of all attributes available for sorting as an array of strings.
# For overriding with a whitelist array of strings.
#
def ransortable_attributes(auth_object = nil)
ransackable_attributes(auth_object)
end
# `ransackable_scopes` by default returns an empty array
# i.e. no class methods/scopes are authorized.
# For overriding with a whitelist array of *symbols*.
#
def ransackable_scopes(auth_object = nil)
[]
end
Any values not returned from these methods will be ignored by Ransack, i.e. they are not authorized.
All four methods can receive a single optional parameter, auth_object
. When
you call the search or ransack method on your model, you can provide a value
for an auth_object
key in the options hash which can be used by your own
overridden methods.
Here is an example that puts all this together, adapted from
this blog post by Ernie Miller.
In an Article
model, add the following ransackable_attributes
class method
(preferably private):
class Article < ActiveRecord::Base
def self.ransackable_attributes(auth_object = nil)
if auth_object == :admin
# whitelist all attributes for admin
super
else
# whitelist only the title and body attributes for other users
super & %w(title body)
end
end
private_class_method :ransackable_attributes
end
Here is example code for the articles_controller
:
class ArticlesController < ApplicationController
def index
@q = Article.ransack(params[:q], auth_object: set_ransack_auth_object)
@articles = @q.result
end
private
def set_ransack_auth_object
current_user.admin? ? :admin : nil
end
end
Trying it out in rails console
:
> Article
=> Article(id: integer, person_id: integer, title: string, body: text)
> Article.ransackable_attributes
=> ["title", "body"]
> Article.ransackable_attributes(:admin)
=> ["id", "person_id", "title", "body"]
> Article.ransack(id_eq: 1).result.to_sql
=> SELECT "articles".* FROM "articles" # Note that search param was ignored!
> Article.ransack({ id_eq: 1 }, { auth_object: nil }).result.to_sql
=> SELECT "articles".* FROM "articles" # Search param still ignored!
> Article.ransack({ id_eq: 1 }, { auth_object: :admin }).result.to_sql
=> SELECT "articles".* FROM "articles" WHERE "articles"."id" = 1
That's it! Now you know how to whitelist/blacklist various elements in Ransack.
Handling unknown predicates or attributes
By default, Ransack will ignore any unknown predicates or attributes:
Article.ransack(unknown_attr_eq: 'Ernie').result.to_sql
=> SELECT "articles".* FROM "articles"
Ransack may be configured to raise an error if passed an unknown predicate or
attributes, by setting the ignore_unknown_conditions
option to false
in your
Ransack initializer file at config/initializers/ransack.rb
:
Ransack.configure do |c|
# Raise errors if a query contains an unknown predicate or attribute.
# Default is true (do not raise error on unknown conditions).
c.ignore_unknown_conditions = false
end
Article.ransack(unknown_attr_eq: 'Ernie')
# ArgumentError (Invalid search term unknown_attr_eq)
As an alternative to setting a global configuration option, the .ransack!
class method also raises an error if passed an unknown condition:
Article.ransack!(unknown_attr_eq: 'Ernie')
# ArgumentError: Invalid search term unknown_attr_eq
This is equivalent to the ignore_unknown_conditions
configuration option,
except it may be applied on a case-by-case basis.
Using Scopes/Class Methods
Continuing on from the preceding section, searching by scopes requires defining
a whitelist of ransackable_scopes
on the model class. The whitelist should be
an array of symbols. By default, all class methods (e.g. scopes) are ignored.
Scopes will be applied for matching true
values, or for given values if the
scope accepts a value:
class Employee < ActiveRecord::Base
scope :activated, ->(boolean = true) { where(active: boolean) }
scope :salary_gt, ->(amount) { where('salary > ?', amount) }
# Scopes are just syntactical sugar for class methods, which may also be used:
def self.hired_since(date)
where('start_date >= ?', date)
end
def self.ransackable_scopes(auth_object = nil)
if auth_object.try(:admin?)
# allow admin users access to all three methods
%i(activated hired_since salary_gt)
else
# allow other users to search on `activated` and `hired_since` only
%i(activated hired_since)
end
end
end
Employee.ransack({ activated: true, hired_since: '2013-01-01' })
Employee.ransack({ salary_gt: 100_000 }, { auth_object: current_user })
In Rails 3 and 4, if the true
value is being passed via url params or some
other mechanism that will convert it to a string, the true value may not be
passed to the ransackable scope unless you wrap it in an array
(i.e. activated: ['true']
). Ransack will take care of changing 'true' into a
boolean. This is currently resolved in Rails 5 😃
However, perhaps you have user_id: [1]
and you do not want Ransack to convert
1 into a boolean. (Values sanitized to booleans can be found in the
constants.rb).
To turn this off globally, and handle type conversions yourself, set
sanitize_custom_scope_booleans
to false in an initializer file like
config/initializers/ransack.rb:
Ransack.configure do |c|
c.sanitize_custom_scope_booleans = false
end
To turn this off on a per-scope basis Ransack adds the following method to
ActiveRecord::Base
that you can redefine to selectively override sanitization:
ransackable_scopes_skip_sanitize_args
Add the scope you wish to bypass this behavior to ransackable_scopes_skip_sanitize_args:
def self.ransackable_scopes_skip_sanitize_args
[:scope_to_skip_sanitize_args]
end
Scopes are a recent addition to Ransack and currently have a few caveats: First, a scope involving child associations needs to be defined in the parent table model, not in the child model. Second, scopes with an array as an argument are not easily usable yet, because the array currently needs to be wrapped in an array to function (see this issue), which is not compatible with Ransack form helpers. For this use case, it may be better for now to use ransackers instead, where feasible. Pull requests with solutions and tests are welcome!
Grouping queries by OR instead of AND
The default AND
grouping can be changed to OR
by adding m: 'or'
to the
query hash.
You can easily try it in your controller code by changing params[:q]
in the
index
action to params[:q].try(:merge, m: 'or')
as follows:
def index
@q = Artist.ransack(params[:q].try(:merge, m: 'or'))
@artists = @q.result
end
Normally, if you wanted users to be able to toggle between AND
and OR
query grouping, you would probably set up your search form so that m
was in
the URL params hash, but here we assigned m
manually just to try it out
quickly.
Alternatively, trying it in the Rails console:
artists = Artist.ransack(name_cont: 'foo', style_cont: 'bar', m: 'or')
=> Ransack::Search<class: Artist, base: Grouping <conditions: [
Condition <attributes: ["name"], predicate: cont, values: ["foo"]>,
Condition <attributes: ["style"], predicate: cont, values: ["bar"]>
], combinator: or>>
artists.result.to_sql
=> "SELECT \"artists\".* FROM \"artists\"
WHERE ((\"artists\".\"name\" ILIKE '%foo%'
OR \"artists\".\"style\" ILIKE '%bar%'))"
The combinator becomes or
instead of the default and
, and the SQL query
becomes WHERE...OR
instead of WHERE...AND
.
This works with associations as well. Imagine an Artist model that has many Memberships, and many Musicians through Memberships:
artists = Artist.ransack(name_cont: 'foo', musicians_email_cont: 'bar', m: 'or')
=> Ransack::Search<class: Artist, base: Grouping <conditions: [
Condition <attributes: ["name"], predicate: cont, values: ["foo"]>,
Condition <attributes: ["musicians_email"], predicate: cont, values: ["bar"]>
], combinator: or>>
artists.result.to_sql
=> "SELECT \"artists\".* FROM \"artists\"
LEFT OUTER JOIN \"memberships\"
ON \"memberships\".\"artist_id\" = \"artists\".\"id\"
LEFT OUTER JOIN \"musicians\"
ON \"musicians\".\"id\" = \"memberships\".\"musician_id\"
WHERE ((\"artists\".\"name\" ILIKE '%foo%'
OR \"musicians\".\"email\" ILIKE '%bar%'))"
Using SimpleForm
If you would like to combine the Ransack and SimpleForm form builders, set the
RANSACK_FORM_BUILDER
environment variable before Rails boots up, e.g. in
config/application.rb
before require 'rails/all'
as shown below (and add
gem 'simple_form'
in your Gemfile).
require File.expand_path('../boot', __FILE__)
ENV['RANSACK_FORM_BUILDER'] = '::SimpleForm::FormBuilder'
require 'rails/all'