Fix deprecation warning for dangerous order usagece-12547-load-search-counts-async

author: Markus Koller <mkoller@gitlab.com> 2019-08-07 22:22:02 +0200
committer: Markus Koller <mkoller@gitlab.com> 2019-08-09 15:26:44 +0200
commit: 336a90c936ae75a67d4413e6f115e4f66d2f773b (patch)
tree: d7cc3c693ebc285349ea98944fe2d6d8bd5ba56a
parent: 28a17ae59f98f187d9408e2a26d569844bc02433 (diff)
download: gitlab-ce-ce-12547-load-search-counts-async.tar.gz
1 files changed, 6 insertions, 4 deletions
diff --git a/app/models/user.rb b/app/models/user.rb
index ac83c8e3256..374e00987c5 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -438,18 +438,20 @@ class User < ApplicationRecord
 
       order = <<~SQL
         CASE
-          WHEN users.name = %{query} THEN 0
-          WHEN users.username = %{query} THEN 1
-          WHEN users.email = %{query} THEN 2
+          WHEN users.name = :query THEN 0
+          WHEN users.username = :query THEN 1
+          WHEN users.email = :query THEN 2
           ELSE 3
         END
       SQL
 
+      sanitized_order_sql = Arel.sql(sanitize_sql_array([order, query: query]))
+
       where(
         fuzzy_arel_match(:name, query, lower_exact_match: true)
           .or(fuzzy_arel_match(:username, query, lower_exact_match: true))
           .or(arel_table[:email].eq(query))
-      ).reorder(order % { query: ApplicationRecord.connection.quote(query) }, :name)
+      ).reorder(sanitized_order_sql, :name)
     end
 
     # Limits the result set to users _not_ in the given query/list of IDs.
author	Markus Koller <mkoller@gitlab.com>	2019-08-07 22:22:02 +0200
committer	Markus Koller <mkoller@gitlab.com>	2019-08-09 15:26:44 +0200
commit	336a90c936ae75a67d4413e6f115e4f66d2f773b (patch)
tree	d7cc3c693ebc285349ea98944fe2d6d8bd5ba56a
parent	28a17ae59f98f187d9408e2a26d569844bc02433 (diff)
download	gitlab-ce-ce-12547-load-search-counts-async.tar.gz