ruby
47 lines · 8 steps
Building a safe filterable product index in Rails
A chainable query that whitelists filters, sorting, and pagination to turn untrusted params into a safe ActiveRecord relation.
Explained by
highlit
1class ProductsController < ApplicationController
2 def index
3 @products = Product
4 .includes(:category, :brand)
5 .filter_by(filter_params)
6 .order(sort_column => sort_direction)
7 .page(params[:page])
8 .per(25)
9 end
10
11 private
12
13 def filter_params
14 params.fetch(:q, {}).permit(
15 :name_cont, :category_id_eq, :brand_id_in,
16 :price_gteq, :price_lteq, :active_eq
17 )
18 end
19
20 def sort_column
21 %w[name price created_at].include?(params[:sort]) ? params[:sort] : :created_at
22 end
23
24 def sort_direction
25 %w[asc desc].include?(params[:direction]) ? params[:direction] : :desc
26 end
27end
28
29class Product < ApplicationRecord
30 belongs_to :category
31 belongs_to :brand
32
33 scope :filter_by, ->(filters) {
34 filters.compact_blank.reduce(all) do |relation, (key, value)|
35 attribute, predicate = key.to_s.rpartition("_").values_at(0, 2)
36
37 case predicate
38 when "cont" then relation.where("#{attribute} ILIKE ?", "%#{value}%")
39 when "eq" then relation.where(attribute => value)
40 when "in" then relation.where(attribute => Array(value))
41 when "gteq" then relation.where("#{attribute} >= ?", value)
42 when "lteq" then relation.where("#{attribute} <= ?", value)
43 else relation
44 end
45 end
46 }
47end
01 / 01
STEP 01
‹ swipe to step through ›
Walkthrough
Space play
←→ step
click any line
Three takeaways
- 1Whitelisting both attributes and predicates keeps user-driven queries safe from SQL injection.
- 2Reducing over filters lets you compose an arbitrary WHERE clause from a single permitted hash.
- 3Eager loading plus pagination keeps a flexible index endpoint fast and N+1-free.
Related explainers
ruby
require "csv" class SalesReport def initialize(path)
Aggregating CSV sales data in Ruby
data-aggregation
memoization
group_by
Intermediate
6 steps
ruby
module DurationFormatter UNITS = [ ['week', 604_800], ['day', 86_400],
Turning seconds into human-readable durations in Ruby
greedy-decomposition
modular-arithmetic
formatting
Intermediate
7 steps
javascript
const express = require('express'); const v1 = express.Router();
Versioning an API with Express Routers
api versioning
routing
modularity
Intermediate
10 steps
python
import csv import io from datetime import datetime
Streaming a CSV export in Flask
streaming
generators
csv
Intermediate
9 steps
ruby
class Comment < ApplicationRecord belongs_to :post belongs_to :author, class_name: "User"
Live-updating comments with Turbo in Rails
turbo-streams
callbacks
associations
Intermediate
8 steps
ruby
require 'json' require 'set' class SensitiveScrubber
Recursively scrubbing secrets from JSON
recursion
data-masking
pattern-matching
Intermediate
7 steps
Share this explainer
Here's the card — post it anywhere.
Made with highlit — turn any snippet into a walkthrough like this in about a minute.
Explain your code
Embed this explainer
Drop the interactive walkthrough into a blog or docs. Views never cost a credit.
<iframe src="https://highlit.co/explainers/building-a-safe-filterable-product-index-in-rails-explained-ruby-bfb2/embed?autoplay=1" width="100%" height="520" loading="lazy" style="border:0"></iframe>
Autoplay is on by default — add ?autoplay=0 to start paused.