From b25759670ed13a4c321ee336856206ab2cc344ba Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Thu, 2 Sep 2021 11:01:05 +0100
Subject: [PATCH 1/2] Implement ransackable whitelisting

---
 app/models/application_record.rb  |  1 +
 app/models/concerns/searchable.rb | 53 +++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 app/models/concerns/searchable.rb

diff --git a/app/models/application_record.rb b/app/models/application_record.rb
index e4478b1559..4149333756 100644
--- a/app/models/application_record.rb
+++ b/app/models/application_record.rb
@@ -4,6 +4,7 @@ class ApplicationRecord < ActiveRecord::Base
   include DelegateBelongsTo
   include Spree::Core::Permalinks
   include Spree::Preferences::Preferable
+  include Searchable
 
   self.abstract_class = true
 end
diff --git a/app/models/concerns/searchable.rb b/app/models/concerns/searchable.rb
new file mode 100644
index 0000000000..9891372b59
--- /dev/null
+++ b/app/models/concerns/searchable.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+# Whitelists model attributes, scopes, and associations that can be searched on with Ransack.
+# Exposes methods for defining the whitelists, eg:
+#
+# class Widget < ApplicationRecord
+#   searchable_attributes :number, :state
+#   searchable_scopes :activated, :disabled
+#
+#   ...
+# end
+
+module Searchable
+  extend ActiveSupport::Concern
+
+  DEFAULT_SEARCHABLE_ATTRIBUTES = [
+    :id, :name, :description, :created_at, :updated_at, :completed_at, :deleted_at
+  ].freeze
+
+  included do
+    class_attribute :whitelisted_search_attributes, instance_accessor: false, default: []
+    class_attribute :whitelisted_search_associations, instance_accessor: false, default: []
+    class_attribute :whitelisted_search_scopes, instance_accessor: false, default: []
+  end
+
+  class_methods do
+    def ransackable_associations(*_args)
+      self.whitelisted_search_associations.map(&:to_s)
+    end
+
+    def ransackable_attributes(*_args)
+      (DEFAULT_SEARCHABLE_ATTRIBUTES | self.whitelisted_search_attributes).map(&:to_s)
+    end
+
+    def ransackable_scopes(*_args)
+      self.whitelisted_search_scopes.map(&:to_s)
+    end
+
+    private
+
+    def searchable_attributes(*attrs)
+      self.whitelisted_search_attributes = attrs
+    end
+
+    def searchable_associations(*attrs)
+      self.whitelisted_search_associations = attrs
+    end
+
+    def searchable_scopes(*attrs)
+      self.whitelisted_search_scopes = attrs
+    end
+  end
+end

From 3fc027877614003e89501b31e4a123f743989983 Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Thu, 2 Sep 2021 12:21:20 +0100
Subject: [PATCH 2/2] Whitelist searchable attributes on primary models

---
 app/models/customer.rb        | 2 ++
 app/models/enterprise.rb      | 5 +++++
 app/models/order_cycle.rb     | 4 ++++
 app/models/spree/address.rb   | 3 +++
 app/models/spree/line_item.rb | 4 ++++
 app/models/spree/order.rb     | 6 +++++-
 app/models/spree/product.rb   | 4 ++++
 app/models/spree/user.rb      | 2 ++
 app/models/spree/variant.rb   | 4 ++++
 app/models/subscription.rb    | 4 ++++
 10 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/app/models/customer.rb b/app/models/customer.rb
index 43bc2cf9e8..27a6d150c5 100644
--- a/app/models/customer.rb
+++ b/app/models/customer.rb
@@ -3,6 +3,8 @@
 class Customer < ApplicationRecord
   acts_as_taggable
 
+  searchable_attributes :name, :email, :code
+
   belongs_to :enterprise
   belongs_to :user, class_name: Spree.user_class.to_s
   has_many :orders, class_name: "Spree::Order"
diff --git a/app/models/enterprise.rb b/app/models/enterprise.rb
index 46bbab9306..a2c0ffe60f 100644
--- a/app/models/enterprise.rb
+++ b/app/models/enterprise.rb
@@ -6,6 +6,11 @@ class Enterprise < ApplicationRecord
   SELLS = %w(unspecified none own any).freeze
   ENTERPRISE_SEARCH_RADIUS = 100
 
+  searchable_attributes :sells, :is_primary_producer
+  searchable_associations :properties
+  searchable_scopes :is_primary_producer, :is_distributor, :is_hub, :activated, :visible,
+                    :ready_for_checkout, :not_ready_for_checkout
+
   preference :shopfront_message, :text, default: ""
   preference :shopfront_closed_message, :text, default: ""
   preference :shopfront_taxon_order, :string, default: ""
diff --git a/app/models/order_cycle.rb b/app/models/order_cycle.rb
index a8221919d6..e46935e2a2 100644
--- a/app/models/order_cycle.rb
+++ b/app/models/order_cycle.rb
@@ -3,6 +3,10 @@
 require 'open_food_network/scope_variant_to_hub'
 
 class OrderCycle < ApplicationRecord
+  searchable_attributes :orders_open_at, :orders_close_at, :coordinator_id
+  searchable_scopes :active, :inactive, :active_or_complete, :upcoming, :closed, :not_closed,
+                    :dated, :undated, :soonest_opening, :soonest_closing, :most_recently_closed
+
   belongs_to :coordinator, class_name: 'Enterprise'
 
   has_many :coordinator_fee_refs, class_name: 'CoordinatorFee'
diff --git a/app/models/spree/address.rb b/app/models/spree/address.rb
index 80630359a0..c2dc4f6d51 100644
--- a/app/models/spree/address.rb
+++ b/app/models/spree/address.rb
@@ -4,6 +4,9 @@ module Spree
   class Address < ApplicationRecord
     include AddressDisplay
 
+    searchable_attributes :firstname, :lastname
+    searchable_associations :country, :state
+
     belongs_to :country, class_name: "Spree::Country"
     belongs_to :state, class_name: "Spree::State"
 
diff --git a/app/models/spree/line_item.rb b/app/models/spree/line_item.rb
index d760724fad..886432e7c6 100644
--- a/app/models/spree/line_item.rb
+++ b/app/models/spree/line_item.rb
@@ -8,6 +8,10 @@ module Spree
     include VariantUnits::VariantAndLineItemNaming
     include LineItemStockChanges
 
+    searchable_attributes :price, :quantity, :order_id, :variant_id, :tax_category_id
+    searchable_associations :order, :variant, :tax_category, :option_values
+    searchable_scopes :with_tax, :without_tax
+
     belongs_to :order, class_name: "Spree::Order", inverse_of: :line_items
     belongs_to :variant, -> { with_deleted }, class_name: "Spree::Variant"
     belongs_to :tax_category, class_name: "Spree::TaxCategory"
diff --git a/app/models/spree/order.rb b/app/models/spree/order.rb
index ca5b45dcfa..ef568bca36 100644
--- a/app/models/spree/order.rb
+++ b/app/models/spree/order.rb
@@ -9,10 +9,14 @@ require 'concerns/order_shipment'
 module Spree
   class Order < ApplicationRecord
     prepend OrderShipment
-
     include Checkout
     include Balance
 
+    searchable_attributes :number, :state, :shipment_state, :payment_state, :distributor_id,
+                          :order_cycle_id, :email
+    searchable_associations :shipping_method, :bill_address
+    searchable_scopes :complete, :incomplete
+
     checkout_flow do
       go_to_state :address
       go_to_state :delivery
diff --git a/app/models/spree/product.rb b/app/models/spree/product.rb
index 903a87626d..658549e3ee 100755
--- a/app/models/spree/product.rb
+++ b/app/models/spree/product.rb
@@ -30,6 +30,10 @@ module Spree
 
     acts_as_paranoid
 
+    searchable_attributes :supplier_id, :primary_taxon_id, :meta_keywords
+    searchable_associations :supplier, :properties, :primary_taxon, :variants, :master
+    searchable_scopes :active
+
     has_many :product_option_types, dependent: :destroy
     # We have an after_destroy callback on Spree::ProductOptionType. However, if we
     # don't specify dependent => destroy on this association, it is not called. See:
diff --git a/app/models/spree/user.rb b/app/models/spree/user.rb
index f7efda3b35..ccd8975f6f 100644
--- a/app/models/spree/user.rb
+++ b/app/models/spree/user.rb
@@ -2,6 +2,8 @@
 
 module Spree
   class User < ApplicationRecord
+    searchable_attributes :email
+
     devise :database_authenticatable, :token_authenticatable, :registerable, :recoverable,
            :rememberable, :trackable, :validatable,
            :encryptable, :confirmable, encryptor: 'authlogic_sha512', reconfirmable: true
diff --git a/app/models/spree/variant.rb b/app/models/spree/variant.rb
index 8be71b1252..16012423ae 100644
--- a/app/models/spree/variant.rb
+++ b/app/models/spree/variant.rb
@@ -13,6 +13,10 @@ module Spree
 
     acts_as_paranoid
 
+    searchable_attributes :sku, :display_as, :display_name
+    searchable_associations :product, :option_values, :default_price
+    searchable_scopes :active, :deleted
+
     belongs_to :product, -> { with_deleted }, touch: true, class_name: 'Spree::Product'
 
     delegate_belongs_to :product, :name, :description, :permalink, :available_on,
diff --git a/app/models/subscription.rb b/app/models/subscription.rb
index d6278cd837..f533b617f5 100644
--- a/app/models/subscription.rb
+++ b/app/models/subscription.rb
@@ -5,6 +5,10 @@ class Subscription < ApplicationRecord
                                   "Spree::Gateway::StripeConnect",
                                   "Spree::Gateway::StripeSCA"].freeze
 
+  searchable_attributes :shop_id, :canceled_at, :paused_at
+  searchable_associations :shop
+  searchable_scopes :active, :not_ended, :not_paused, :not_canceled
+
   belongs_to :shop, class_name: 'Enterprise'
   belongs_to :customer
   belongs_to :schedule