From 8653c2dfc943b5536ab99155c8b950e30ba1f567 Mon Sep 17 00:00:00 2001 From: Shinya Maeda Date: Thu, 30 Mar 2017 19:30:02 +0900 Subject: Add constant as ALLOWED_INDEXED_COLUMNS --- app/finders/pipelines_finder.rb | 4 +++- lib/api/pipelines.rb | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/app/finders/pipelines_finder.rb b/app/finders/pipelines_finder.rb index c6666802b7f..f187a3b61fe 100644 --- a/app/finders/pipelines_finder.rb +++ b/app/finders/pipelines_finder.rb @@ -1,6 +1,8 @@ class PipelinesFinder attr_reader :project, :pipelines, :params + ALLOWED_INDEXED_COLUMNS = %w[id status ref user_id].freeze + def initialize(project, params = {}) @project = project @pipelines = project.pipelines @@ -95,7 +97,7 @@ class PipelinesFinder end def sort_items(items) - order_by = if %w[id status ref user_id].include?(params[:order_by]) # Allow only indexed columns + order_by = if ALLOWED_INDEXED_COLUMNS.include?(params[:order_by]) params[:order_by] else :id diff --git a/lib/api/pipelines.rb b/lib/api/pipelines.rb index 29757dd9935..6a054544d70 100644 --- a/lib/api/pipelines.rb +++ b/lib/api/pipelines.rb @@ -22,7 +22,7 @@ module API optional :yaml_errors, type: Boolean, desc: 'If true, returns only yaml error pipelines' optional :name, type: String, desc: 'The name of user who triggered pipelines' optional :username, type: String, desc: 'The username of user who triggered pipelines' - optional :order_by, type: String, values: %w[id status ref user_id], default: 'id', + optional :order_by, type: String, values: PipelinesFinder::ALLOWED_INDEXED_COLUMNS, default: 'id', desc: 'The order_by which is combined with a sort' optional :sort, type: String, values: %w[asc desc], default: 'desc', desc: 'The sort method which is combined with an order_by' -- cgit v1.2.1