Skip to content

Refactor task retrieval logic to handle 'only_todo' filter #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
miyake13000 merged 2 commits into from
Oct 28, 2025
Merged

Refactor task retrieval logic to handle 'only_todo' filter #153

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8358f87
Refactor task retrieval logic to handle 'only_todo' filter
fujiwara-e Oct 15, 2025
999b5d7
Fix correct sorting and filtering logic for task index view
fujiwara-e Oct 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 9 additions & 7 deletions app/controllers/tasks_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,26 +15,28 @@ def search_check(param)
def sort_check(param)
if param.present?
sort_column = []
sort_column << "state_priority DESC" << param
sort_column << "state.priority DESC" << param
else
"state_priority DESC"
"state.priority DESC"
end
end

# GET /tasks or /tasks.json
def index
if params[:q].nil?
@q = Task.joins(:state).ransack(params[:q])
@q.sorts = ["state_priority DESC", "due_at ASC"]
@q.sorts = ["state.priority DESC", "due_at ASC"]
else
@q = Task.joins(:state).ransack({combinator: 'and', groupings: search_check(params[:q][:content_or_assigner_screen_name_or_description_or_project_name_cont])})
@q.sorts = sort_check(params[:q][:s])
end
@tasks = @q.result.page(params[:page]).per(50).includes(:user, :state)
tasks_query = @q.result

return unless params[:only_todo] == '1'

@tasks = @tasks.where(task_state_id: TaskState.find_by(name: 'todo').id)
if params[:only_todo] == '1'
tasks_query = tasks_query.merge(Task.active)
end

@tasks = tasks_query.page(params[:page]).per(50).includes(:user, :state)
end

# GET /tasks/1 or /tasks/1.json
Expand Down
15 changes: 11 additions & 4 deletions app/views/tasks/index.html.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
class: "form-control me-2",
placeholder: '検索ワードを入力して下さい',
style: "flex: 1;" %>
<%= hidden_field_tag :only_todo, params[:only_todo] if params[:only_todo].present? %>
<%= f.submit "検索", class: "btn btn-primary" %>
<% end %>
</div>
Expand All @@ -30,10 +31,16 @@
</div>

<%= form_with url: request.path, method: :get, local: true, html: { class: "d-flex" } do %>
<%= check_box_tag :only_todo, "1", params[:only_todo] == "1", onchange: "this.form.submit()" %>
<div class="mx-1">
todoのみ
</div>
<%= check_box_tag :only_todo, "1", params[:only_todo] == "1", onchange: "this.form.submit()" %>
<div class="mx-1">
todoのみ
</div>

<% if params[:q].present? %>
<% params[:q].each do |key, value| %>
<%= hidden_field_tag "q[#{key}]", value %>
Copy link

Copilot AI Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential XSS vulnerability: params[:q] is being iterated without sanitization. If params[:q] contains nested hashes or arrays, this could lead to unexpected behavior or security issues. Consider validating the structure of params[:q] and sanitizing the values before rendering them in hidden fields.

Suggested change
<%= hidden_field_tag "q[#{key}]", value %>
<% if value.is_a?(String) || value.is_a?(Numeric) || value == true || value == false %>
<%= hidden_field_tag "q[#{key}]", h(value) %>
<% end %>

Copilot uses AI. Check for mistakes.
<% end %>
<% end %>
<% end %>

<%= render @tasks %>
Expand Down