FIX: Prevent column name conflicts in reviewable code (#9753)

We were getting errors like this in Reviewables in some cases: ``` ActiveRecord::StatementInvalid (PG::AmbiguousColumn: ERROR: column reference "category_id" is ambiguous LINE 4: ...TRUE) OR (reviewable_by_group_id IN (NULL))) AND (category_i... ``` The problem that was making everything go boom is that plugins can add their own custom filters for Reviewables. If one is doing an INNER JOIN on topics, which has its own category_id column, we would get the above AmbiguousColumn error. The solution here is to just make all references to the reviewable columns in the list_for and viewable_by code prefixed by the table name e.g. reviewables.category_id.
2020-05-13 09:05:56 +10:00 · 2020-05-13 09:05:56 +10:00 · 9981fa4466
parent e990d8adce
commit 9981fa4466
2 changed files with 43 additions and 15 deletions
--- a/app/models/reviewable.rb
+++ b/app/models/reviewable.rb
@ -406,7 +406,7 @@ class Reviewable < ActiveRecord::Base
  def self.viewable_by(user, order: nil, preload: true)
    return none unless user.present?
-    result = self.order(order || 'score desc, created_at desc')
+    result = self.order(order || 'reviewables.score desc, reviewables.created_at desc')
    if preload
      result = result.includes(
@ -422,10 +422,10 @@ class Reviewable < ActiveRecord::Base
    group_ids = SiteSetting.enable_category_group_review? ? user.group_users.pluck(:group_id) : []
    result.where(
-      '(reviewable_by_moderator AND :staff) OR (reviewable_by_group_id IN (:group_ids))',
+      '(reviewables.reviewable_by_moderator AND :staff) OR (reviewables.reviewable_by_group_id IN (:group_ids))',
      staff: user.staff?,
      group_ids: group_ids
-    ).where("category_id IS NULL OR category_id IN (?)", Guardian.new(user).allowed_category_ids)
+    ).where("reviewables.category_id IS NULL OR reviewables.category_id IN (?)", Guardian.new(user).allowed_category_ids)
  end
  def self.pending_count(user)
@ -451,13 +451,13 @@ class Reviewable < ActiveRecord::Base
    order = case sort_order
            when 'priority_asc'
-              'score ASC, created_at DESC'
+              'reviewables.score ASC, reviewables.created_at DESC'
            when 'created_at'
-              'created_at DESC, score DESC'
+              'reviewables.created_at DESC, reviewables.score DESC'
            when 'created_at_asc'
-              'created_at ASC, score DESC'
+              'reviewables.created_at ASC, reviewables.score DESC'
            else
-              'score DESC, created_at DESC'
+              'reviewables.score DESC, reviewables.created_at DESC'
    end
    if username.present?
@ -469,19 +469,19 @@ class Reviewable < ActiveRecord::Base
    result = viewable_by(user, order: order)
    result = by_status(result, status)
-    result = result.where(type: type) if type
+    result = result.where('reviewables.type = ?', type) if type
-    result = result.where(category_id: category_id) if category_id
+    result = result.where('reviewables.category_id = ?', category_id) if category_id
-    result = result.where(topic_id: topic_id) if topic_id
+    result = result.where('reviewables.topic_id = ?', topic_id) if topic_id
-    result = result.where("created_at >= ?", from_date) if from_date
+    result = result.where("reviewables.created_at >= ?", from_date) if from_date
-    result = result.where("created_at <= ?", to_date) if to_date
+    result = result.where("reviewables.created_at <= ?", to_date) if to_date
    if min_score > 0 && status == :pending && type.nil?
      result = result.where(
-        "score >= ? OR type IN (?)",
+        "reviewables.score >= ? OR reviewables.type IN (?)",
        min_score, [ReviewableQueuedPost.name, ReviewableUser.name]
      )
    elsif min_score > 0
-      result = result.where("score >= ?", min_score)
+      result = result.where("reviewables.score >= ?", min_score)
    end
    if !custom_filters.empty?
@ -497,7 +497,8 @@ class Reviewable < ActiveRecord::Base
    # If a reviewable doesn't have a target, allow us to filter on who created that reviewable.
    if user_id
      result = result.where(
-        "(target_created_by_id IS NULL AND created_by_id = :user_id) OR (target_created_by_id = :user_id)",
+        "(reviewables.target_created_by_id IS NULL AND reviewables.created_by_id = :user_id)
        OR (reviewables.target_created_by_id = :user_id)",
        user_id: user_id
      )
    end
--- a/spec/models/reviewable_spec.rb
+++ b/spec/models/reviewable_spec.rb
@ -479,6 +479,33 @@ RSpec.describe Reviewable, type: :model do
      expect(results.size).to eq(1)
      expect(results.first).to eq first_reviewable
    end
    context "when listing for a moderator with a custom filter that joins tables with same named columns" do
      it "should not error" do
        first_reviewable = Fabricate(:reviewable)
        second_reviewable = Fabricate(:reviewable)
        custom_filter = [
          :troublemaker,
          Proc.new do |results, value|
            results.joins(<<~SQL
          INNER JOIN posts p ON p.id = target_id
          INNER JOIN topics t ON t.id = p.topic_id
          INNER JOIN topic_custom_fields tcf ON tcf.topic_id = t.id
          INNER JOIN users u ON u.id = tcf.value::integer
                          SQL
                         )
              .where(target_type: Post.name)
              .where('tcf.name = ?', 'troublemaker_user_id')
              .where('u.username = ?', value)
          end
        ]
        Reviewable.add_custom_filter(custom_filter)
        mod = Fabricate(:moderator)
        results = Reviewable.list_for(mod, additional_filters: { troublemaker: 'badguy' })
        expect { results.first }.not_to raise_error
      end
    end
  end
  describe '.by_status' do