Mark non-attribute usage in SQL queries as safe.

Non-attribute arguments will be disallowed in Rails 6.0.

5 files changed, 15 insertions, 8 deletions

diff --git a/app/controllers/admins_controller.rb b/app/controllers/admins_controller.rb
index f0fa8bb5c..daad7c46f 100644
--- a/app/controllers/admins_controller.rb
+++ b/app/controllers/admins_controller.rb
@@ -51,7 +51,11 @@ class AdminsController < Admin::AdminController
   end
 
   def stats
-    @popular_tags = ActsAsTaggableOn::Tagging.joins(:tag).limit(50).order('count(taggings.id) DESC').group(:tag).count
+    @popular_tags = ActsAsTaggableOn::Tagging.joins(:tag)
+                                             .limit(50)
+                                             .order(Arel.sql("count(taggings.id) DESC"))
+                                             .group(:tag)
+                                             .count
 
     case params[:range]
     when "week"
@@ -72,7 +76,10 @@ class AdminsController < Admin::AdminController
       create_hash(model, :range => range)
     end
 
-    @posts_per_day = Post.where("created_at >= ?", Date.today - 21.days).group("DATE(created_at)").order("DATE(created_at) ASC").count
+    @posts_per_day = Post.where("created_at >= ?", Time.zone.today - 21.days)
+                         .group(Arel.sql("DATE(created_at)"))
+                         .order(Arel.sql("DATE(created_at) ASC"))
+                         .count
     @most_posts_within = @posts_per_day.values.max.to_f
 
     @user_count = User.count
diff --git a/app/controllers/contacts_controller.rb b/app/controllers/contacts_controller.rb
index f62050734..34a45b383 100644
--- a/app/controllers/contacts_controller.rb
+++ b/app/controllers/contacts_controller.rb
@@ -66,7 +66,7 @@ class ContactsController < ApplicationController
       when "receiving"
         current_user.contacts.receiving
       when "by_aspect"
-        order.unshift "contact_id IS NOT NULL DESC"
+        order.unshift Arel.sql("contact_id IS NOT NULL DESC")
         contacts_by_aspect(@aspect.id)
       else
         raise ArgumentError, "unknown type #{type}"
diff --git a/app/models/person.rb b/app/models/person.rb
index db799d7d7..081a08dd8 100644
--- a/app/models/person.rb
+++ b/app/models/person.rb
@@ -162,7 +162,7 @@ class Person < ApplicationRecord
         contacts.id IS NOT NULL AS is_contact
         SQL
              )
-      .order(<<-SQL
+      .order(Arel.sql(<<-SQL
         is_author DESC,
         is_commenter DESC,
         is_liker DESC,
@@ -170,7 +170,7 @@ class Person < ApplicationRecord
         profiles.full_name,
         people.diaspora_handle
         SQL
-            )
+                     ))
   }
 
   def self.community_spotlight
@@ -241,7 +241,7 @@ class Person < ApplicationRecord
     query = query.where(contacts: {sharing: true, receiving: true}) if mutual
 
     query.where(closed_account: false)
-         .order(["contacts.user_id IS NULL", "profiles.last_name ASC", "profiles.first_name ASC"])
+         .order([Arel.sql("contacts.user_id IS NULL"), "profiles.last_name ASC", "profiles.first_name ASC"])
   end
 
   def name(opts = {})
diff --git a/app/services/like_service.rb b/app/services/like_service.rb
index b5623a048..64bb990fa 100644
--- a/app/services/like_service.rb
+++ b/app/services/like_service.rb
@@ -22,7 +22,7 @@ class LikeService
 
   def find_for_post(post_id)
     likes = post_service.find!(post_id).likes
-    user ? likes.order("author_id = #{user.person.id} DESC") : likes
+    user ? likes.order(Arel.sql("author_id = #{user.person.id} DESC")) : likes
   end
 
   private
diff --git a/app/services/reshare_service.rb b/app/services/reshare_service.rb
index c4bd94ff6..2f4c73c6f 100644
--- a/app/services/reshare_service.rb
+++ b/app/services/reshare_service.rb
@@ -13,7 +13,7 @@ class ReshareService
 
   def find_for_post(post_id)
     reshares = post_service.find!(post_id).reshares
-    user ? reshares.order("author_id = #{user.person.id} DESC") : reshares
+    user ? reshares.order(Arel.sql("author_id = #{user.person.id} DESC")) : reshares
   end
 
   private