sreid
2012-Jul-02 16:44 UTC
suggestion for changed behaviour of non-block version of unscoped activerecord queires
I previously raised a rails issue about the use of unscoped in activerecord queries : https://github.com/rails/rails/issues/2145. It now appears that the current behaviour is actually as documented in the source comments, so my request is really for a feature change rather than a bug fix, and I''ve been directed here. The issue is that using unscoped to override a default scope in a query such as : @user.orders.unscoped.order(...) returns all orders for all users, not just for @user. The source code comment for unscoped recommends using the block version of the above e,g, Orders.unscoped do @user.orders.order(...) end instead, and says that the non block form of unscoped "does not work". I think this is unintuitive, and inconsistent. Returning all records (ignoring all other specified query conditions) seems wrong. Unscoped should just mean "without the default scope". The current behaviour could accidentally lead to security issues such as one user seeing all users data. Could the non-block version either be deprecated; return an error; or (ideally) be corrected ? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/WfKJFwGGRBMJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Richard Schneeman
2012-Jul-02 18:32 UTC
Re: suggestion for changed behaviour of non-block version of unscoped activerecord queires
The current state of default scopes now is broken (for me). I have tried using them many times but they always end up being more trouble then they are worth. One of the biggest shortcomings I''ve had is the inability to remove just the default scope from the relation as sreid mentioned. Unscoped does what it says. It removes all scopes from the relation. It would be nice to have another method that only nullified default scope. Something like ''custom_scope''. Not sure if that''s quite the same intent as th OP, but if included it would be cause enough for me to try default scopes again. -- Richard Schneeman http://heroku.com @schneems Sent from the road On Monday, July 2, 2012 at 11:44 AM, sreid wrote:> I previously raised a rails issue about the use of unscoped in activerecord queries : https://github.com/rails/rails/issues/2145. > > It now appears that the current behaviour is actually as documented in the source comments, so my request is really for a feature change rather than a bug fix, and I''ve been directed here. > > The issue is that using unscoped to override a default scope in a query such as : @user.orders.unscoped.order(...) returns all orders for all users, not just for @user. > > The source code comment for unscoped recommends using the block version of the above e,g, Orders.unscoped do @user.orders.order(...) end instead, and says that the non block form of unscoped "does not work". > I think this is unintuitive, and inconsistent. Returning all records (ignoring all other specified query conditions) seems wrong. Unscoped should just mean "without the default scope". The current behaviour could accidentally lead to security issues such as one user seeing all users data. > Could the non-block version either be deprecated; return an error; or (ideally) be corrected ? > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. > To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/WfKJFwGGRBMJ. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
José Valim
2012-Jul-02 19:06 UTC
Re: suggestion for changed behaviour of non-block version of unscoped activerecord queires
I don''t think it makes sense for unscoped to return a different result
based on the context. In general, we need a way to unscope any relation and
that''s what unscoped is for. That said, we can provide a way to achieve
what you want, but that should not be unscoped job.
The reason the unscoped with a block works is related to the ordering, you
can think that you are unscoping the orders before you get the relation
from @user:
Order.unscoped do # We are unscoping here
@user.orders # Now we get the relation
end
As workaround, you can either use the block or try this (I haven''t
tried
this yet, it may work or not):
class Order < AR::Base
scope :unfiltered, scoped
default_scope order(...)
end
The scope call must come before default_scope.
Finally, I am familiar with the complaints about default_scope, the
solution is simple though: simply don''t use it (not being rude,
that''s
simply what I do most of the time).
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-core/-/scoiVKFkaf0J.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.
Ionatan Wiznia
2012-Jul-02 20:29 UTC
Re: suggestion for changed behaviour of non-block version of unscoped activerecord queires
I agree that the default_scope is broken and also don''t use it, but I think it''s not that hard to fix. I like the idea of richard scheenman (although, not the name, I would prefer something like without_default_scope). So I think if we maintain the unscoped method as is (to effectivley clear all the scopes), and add the without_default_scope (to clear just that) we could have a feature that''s useful without breaking any existing code. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/YNpPmslNo9cJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.