repo.all no warnings using clauses
155 views
Skip to first unread message
sp33...@gmail.com
Sep 7, 2016, 9:27:35 AM9/7/16
to elixir-ecto
Maybe i'm wrong because the documentation is a bit short, but for example we have a table of settings where every setting have an user "profile_id":
first case
---------------------
Repo.all(Setting, profile_id: profile_id)
this generates a sql query without where clause, giving all rows of the table
second case
------------------------
Repo.all(from s in Setting, where: s.profile_id == ^profile_id)
this generates a correct sql clause with rows with the same profile_id
My problem was that i started using in the first case Repo.get_by(Setting, profile_id: profile_id) which generates where clause, and later i changed it to repo.all because i needed it, which it doesn't give any error o warning, and it gives me all rows for all users what easily converts into a security problem
If i made this mistake, i'm sure many people will do, what do you think?
Is there a "get_by" for multiple cases, i mean for example "all_by" function?
first case
---------------------
Repo.all(Setting, profile_id: profile_id)
this generates a sql query without where clause, giving all rows of the table
second case
------------------------
Repo.all(from s in Setting, where: s.profile_id == ^profile_id)
this generates a correct sql clause with rows with the same profile_id
My problem was that i started using in the first case Repo.get_by(Setting, profile_id: profile_id) which generates where clause, and later i changed it to repo.all because i needed it, which it doesn't give any error o warning, and it gives me all rows for all users what easily converts into a security problem
If i made this mistake, i'm sure many people will do, what do you think?
Is there a "get_by" for multiple cases, i mean for example "all_by" function?
José Valim
Sep 15, 2016, 10:32:10 AM9/15/16
to elixir-ecto
The second parameter to Repo.all is a set of options, like timeout, prefix and so on. It is not meant to receive database fields. You need to explicitly build a query as you did.
sp33...@gmail.com
Sep 18, 2016, 11:15:51 AM9/18/16
to elixir-ecto
I wouldn't like other people to make the same mistake I did, so if no warning can be implemented easily in the parameter "options" of all ecto functions, that checks if the options exists,i would like to suggest to deprecate "Repo.get_by" and the use of clauses attending to the following reasons:
- it breaks the consistency of usage: if all goes with queryable, why use clauses?
- get_by only exist for one result, there is not a get_by for multiple results, so it appears to be partially implemented.
- it seems that clauses was an attempt to reduce the quantity of keystrokes needed to make queries to database.
I come from django where its orm is quite fast to write queries to database. For example, to do a join, you just need to put "table1__table2.id = id". In ecto you must write the join query in a longer way. That's why i liked get_by with clauses, because i wrote less, but i will not use it anymore for the reasons above.
- it breaks the consistency of usage: if all goes with queryable, why use clauses?
- get_by only exist for one result, there is not a get_by for multiple results, so it appears to be partially implemented.
- it seems that clauses was an attempt to reduce the quantity of keystrokes needed to make queries to database.
I come from django where its orm is quite fast to write queries to database. For example, to do a join, you just need to put "table1__table2.id = id". In ecto you must write the join query in a longer way. That's why i liked get_by with clauses, because i wrote less, but i will not use it anymore for the reasons above.
sp33...@gmail.com
Sep 29, 2016, 4:21:19 AM9/29/16
to elixir-ecto
Here is an example of simplifying code i've found: https://github.com/sheharyarn/ecto_rut Maybe ecto could merge this project in some way
José Valim
Sep 29, 2016, 4:31:51 AM9/29/16
to elixi...@googlegroups.com
Similar to what I have mentioned on Elixir Forum, I would avoid ecto_rut because it fundamentally couples the schema to a repository and a single entity, exactly the opposite of what we have been working on: http://blog.plataformatec.com.br/2016/05/ectos-insert_all-and-schemaless-queries/
However, we understand there is a level of repetition, when interacting with the repository in your Phoenix controller, then in your terminal and so on. We are working on those and they should be much better on the new generators that will be part of Phoenix v1.3.
On Thu, Sep 29, 2016 at 10:21 AM, <sp33...@gmail.com> wrote:
Here is an example of simplifying code i've found: https://github.com/sheharyarn/ecto_rut Maybe ecto could merge this project in some way
--
You received this message because you are subscribed to the Google Groups "elixir-ecto" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-ecto+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-ecto/308924ea-2931-4e70-8a4e-3bcb973c83e8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
sp33...@gmail.com
Sep 29, 2016, 4:54:23 AM9/29/16
to elixir-ecto, jose....@plataformatec.com.br
that sounds good! and let me take this opportunity of saying that your team and you are making an awesome work with elixir, phoenix and ecto. Keep it up! :)
El jueves, 29 de septiembre de 2016, 10:31:51 (UTC+2), José Valim escribió:
Similar to what I have mentioned on Elixir Forum, I would avoid ecto_rut because it fundamentally couples the schema to a repository and a single entity, exactly the opposite of what we have been working on: http://blog.plataformatec.com.br/2016/05/ectos-insert_all-and-schemaless-queries/However, we understand there is a level of repetition, when interacting with the repository in your Phoenix controller, then in your terminal and so on. We are working on those and they should be much better on the new generators that will be part of Phoenix v1.3.
On Thu, Sep 29, 2016 at 10:21 AM, <sp33...@gmail.com> wrote:
Here is an example of simplifying code i've found: https://github.com/sheharyarn/ecto_rut Maybe ecto could merge this project in some way
--
You received this message because you are subscribed to the Google Groups "elixir-ecto" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-ecto...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages