fix(funcspec): add support for query param filters

* Introduced AllowQueryParamFilters option in SqlQueryOptions * Implemented applyQueryParamFilters method to handle field filters
fix(funcspec): enhance quote detection for parameters
2026-05-15 16:25:20 +00:00 · 2026-05-15 09:07:21 +02:00 · 2026-05-15 08:26:59 +02:00 · 2026-05-11 14:24:25 +02:00
3 changed files with 125 additions and 37 deletions
--- a/pkg/funcspec/function_api.go
+++ b/pkg/funcspec/function_api.go
@@ -31,6 +31,7 @@ type SqlQueryOptions struct {
 	NoCount                bool
 	BlankParams            bool
 	AllowFilter            bool
 	AllowQueryParamFilters bool
 }
 func NewSqlQueryOptions() SqlQueryOptions {
@@ -38,6 +39,7 @@ func NewSqlQueryOptions() SqlQueryOptions {
 		NoCount:                false,
 		BlankParams:            true,
 		AllowFilter:            true,
 		AllowQueryParamFilters: false,
 	}
 }
@@ -138,6 +140,11 @@ func (h *Handler) SqlQueryList(sqlquery string, options SqlQueryOptions) HTTPFun
 		// Merge query string parameters
 		sqlquery = h.mergeQueryParams(r, sqlquery, variables, options.AllowFilter, propQry)
 		// Apply p_-prefixed query params as field filters
 		if options.AllowQueryParamFilters {
 			sqlquery = h.applyQueryParamFilters(r, sqlquery)
 		}
 		// Merge header parameters
 		sqlquery = h.mergeHeaderParams(r, sqlquery, variables, propQry, &complexAPI)
@@ -168,9 +175,16 @@ func (h *Handler) SqlQueryList(sqlquery string, options SqlQueryOptions) HTTPFun
 		// Replace meta variables in SQL
 		sqlquery = h.replaceMetaVariables(sqlquery, r, userCtx, metainfo, variables)
-		// Remove unused input variables
+		// Replace variables from provided values, then blank any remaining unused ones
 		if options.BlankParams {
 		for _, kw := range inputvars {
 			varName := kw[1 : len(kw)-1] // strip [ and ]
 			if val, ok := variables[varName]; ok {
 				if strVal := fmt.Sprintf("%v", val); strVal != "" {
 					sqlquery = strings.ReplaceAll(sqlquery, kw, ValidSQL(strVal, "colvalue"))
 					continue
 				}
 			}
 			if options.BlankParams {
 				replacement := getReplacementForBlankParam(sqlquery, kw)
 				sqlquery = strings.ReplaceAll(sqlquery, kw, replacement)
 				logger.Debug("Replaced unused variable %s with: %s", kw, replacement)
@@ -474,6 +488,11 @@ func (h *Handler) SqlQuery(sqlquery string, options SqlQueryOptions) HTTPFuncTyp
 		// Merge query string parameters
 		sqlquery = h.mergeQueryParams(r, sqlquery, variables, false, propQry)
 		// Apply p_-prefixed query params as field filters
 		if options.AllowQueryParamFilters {
 			sqlquery = h.applyQueryParamFilters(r, sqlquery)
 		}
 		// Merge header parameters
 		sqlquery = h.mergeHeaderParams(r, sqlquery, variables, propQry, &complexAPI)
 		hookCtx.ComplexAPI = complexAPI
@@ -520,9 +539,16 @@ func (h *Handler) SqlQuery(sqlquery string, options SqlQueryOptions) HTTPFuncTyp
 			}
 		}
-		// Remove unused input variables
+		// Replace variables from provided values, then blank any remaining unused ones
 		if options.BlankParams {
 		for _, kw := range inputvars {
 			varName := kw[1 : len(kw)-1] // strip [ and ]
 			if val, ok := variables[varName]; ok {
 				if strVal := fmt.Sprintf("%v", val); strVal != "" {
 					sqlquery = strings.ReplaceAll(sqlquery, kw, ValidSQL(strVal, "colvalue"))
 					continue
 				}
 			}
 			if options.BlankParams {
 				replacement := getReplacementForBlankParam(sqlquery, kw)
 				sqlquery = strings.ReplaceAll(sqlquery, kw, replacement)
 				logger.Debug("Replaced unused variable %s with: %s", kw, replacement)
@@ -824,6 +850,43 @@ func (h *Handler) mergeHeaderParams(r *http.Request, sqlquery string, variables
 	return sqlquery
 }
 // sqlStripStringLiterals removes the contents of single-quoted string literals from SQL,
 // leaving the structural identifiers (column names, table names) intact.
 // Used to check column presence without matching inside string arguments.
 func sqlStripStringLiterals(sql string) string {
 	re := regexp.MustCompile(`'(?:[^']|'')*'`)
 	return re.ReplaceAllString(sql, "''")
 }
 // applyQueryParamFilters applies query parameters as SQL field filters when the param name
 // appears as a structural identifier in the SQL (not inside a string literal).
 // e.g. ?rid_parent=0 → (rid_parent = 0 OR rid_parent IS NULL)
 func (h *Handler) applyQueryParamFilters(r *http.Request, sqlquery string) string {
 	sqlStructure := strings.ToLower(sqlStripStringLiterals(sqlquery))
 	for parmk, parmv := range r.URL.Query() {
 		if len(parmv) == 0 || !strings.Contains(sqlStructure, strings.ToLower(parmk)) {
 			continue
 		}
 		val := parmv[0]
 		dec, err := restheadspec.DecodeParam(val)
 		if err == nil {
 			val = dec
 		}
 		col := ValidSQL(parmk, "colname")
 		switch {
 		case val == "0":
 			sqlquery = sqlQryWhere(sqlquery, fmt.Sprintf("(%[1]s = 0 OR %[1]s IS NULL)", col))
 		case val == "":
 			sqlquery = sqlQryWhere(sqlquery, fmt.Sprintf("(%[1]s = '' OR %[1]s IS NULL)", col))
 		case IsNumeric(val):
 			sqlquery = sqlQryWhere(sqlquery, fmt.Sprintf("%s = %s", col, ValidSQL(val, "colvalue")))
 		default:
 			sqlquery = sqlQryWhere(sqlquery, fmt.Sprintf("%s = '%s'", col, ValidSQL(val, "colvalue")))
 		}
 	}
 	return sqlquery
 }
 // replaceMetaVariables replaces meta variables like [rid_user], [user], etc. in the SQL query
 func (h *Handler) replaceMetaVariables(sqlquery string, r *http.Request, userCtx *security.UserContext, metainfo map[string]interface{}, variables map[string]interface{}) string {
 	if strings.Contains(sqlquery, "[p_meta_default]") {
@@ -991,8 +1054,8 @@ func getReplacementForBlankParam(sqlquery, param string) string {
 		charAfter = sqlquery[endIdx]
 	}
-	// Check if parameter is surrounded by quotes (single quote or dollar sign for PostgreSQL dollar-quoted strings)
+	// Check if parameter is surrounded by quotes (single quote, dollar sign for PostgreSQL dollar-quoted strings, or double quote for JSON string values)
-	if (charBefore == '\'' || charBefore == '$') && (charAfter == '\'' || charAfter == '$') {
+	if (charBefore == '\'' || charBefore == '$' || charBefore == '"') && (charAfter == '\'' || charAfter == '$' || charAfter == '"') {
 		// Parameter is in quotes, return empty string
 		return ""
 	}
--- a/pkg/reflection/helpers.go
+++ b/pkg/reflection/helpers.go
@@ -76,9 +76,14 @@ func GetJSONNameForField(modelType reflect.Type, fieldName string) string {
 		return ""
 	}
-	// Handle pointer types
+	// Unwrap pointer and slice indirections to reach the struct type
-	if modelType.Kind() == reflect.Ptr {
+	for {
 		switch modelType.Kind() {
 		case reflect.Ptr, reflect.Slice:
 			modelType = modelType.Elem()
 			continue
 		}
 		break
 	}
 	if modelType.Kind() != reflect.Struct {
--- a/pkg/reflection/model_utils.go
+++ b/pkg/reflection/model_utils.go
@@ -541,9 +541,14 @@ func collectSQLColumnsFromType(typ reflect.Type, columns *[]string, scanOnlyEmbe
 func IsColumnWritable(model any, columnName string) bool {
 	modelType := reflect.TypeOf(model)
-	// Unwrap pointers to get to the base struct type
+	// Unwrap pointers and slices to get to the base struct type
-	for modelType != nil && modelType.Kind() == reflect.Pointer {
+	for modelType != nil {
 		switch modelType.Kind() {
 		case reflect.Ptr, reflect.Slice:
 			modelType = modelType.Elem()
 			continue
 		}
 		break
 	}
 	// Validate that we have a struct type
@@ -878,8 +883,14 @@ func GetRelationType(model interface{}, fieldName string) RelationType {
 		return RelationUnknown
 	}
-	if modelType.Kind() == reflect.Ptr {
+	// Unwrap pointer → slice → pointer chains to reach the underlying struct
 	for {
 		switch modelType.Kind() {
 		case reflect.Ptr, reflect.Slice:
 			modelType = modelType.Elem()
 			continue
 		}
 		break
 	}
 	if modelType == nil || modelType.Kind() != reflect.Struct {
@@ -1472,9 +1483,14 @@ func convertToFloat64(value interface{}) (float64, bool) {
 func GetValidJSONFieldNames(modelType reflect.Type) map[string]bool {
 	validFields := make(map[string]bool)
-	// Unwrap pointers to get to the base struct type
+	// Unwrap pointers and slices to get to the base struct type
-	for modelType != nil && modelType.Kind() == reflect.Pointer {
+	for modelType != nil {
 		switch modelType.Kind() {
 		case reflect.Ptr, reflect.Slice:
 			modelType = modelType.Elem()
 			continue
 		}
 		break
 	}
 	if modelType == nil || modelType.Kind() != reflect.Struct {
@@ -1535,8 +1551,13 @@ func getRelationModelSingleLevel(model interface{}, fieldName string) interface{
 		return nil
 	}
-	if modelType.Kind() == reflect.Ptr {
+	for {
 		switch modelType.Kind() {
 		case reflect.Ptr, reflect.Slice:
 			modelType = modelType.Elem()
 			continue
 		}
 		break
 	}
 	if modelType == nil || modelType.Kind() != reflect.Struct {
@@ -1599,17 +1620,16 @@ func getRelationModelSingleLevel(model interface{}, fieldName string) interface{
 		return nil
 	}
-	if targetType.Kind() == reflect.Slice {
+	for {
 		switch targetType.Kind() {
 		case reflect.Ptr, reflect.Slice:
 			targetType = targetType.Elem()
 			if targetType == nil {
 				return nil
 			}
 			continue
 		}
-	if targetType.Kind() == reflect.Ptr {
+		break
 		targetType = targetType.Elem()
 		if targetType == nil {
 			return nil
 		}
 	}
 	if targetType.Kind() != reflect.Struct {
Author	SHA1	Message	Date
Hein	49639b6c19	fix(funcspec): add support for query param filters * Introduced AllowQueryParamFilters option in SqlQueryOptions * Implemented applyQueryParamFilters method to handle field filters	2026-05-15 09:07:21 +02:00
Hein	8733176cba	fix(funcspec): enhance quote detection for parameters	2026-05-15 08:26:59 +02:00
Hein	bce27f7ed2	fix: 🐛 Fixed array to slice array resolution on reflection GetRelationType Some checks failed Build , Vet Test, and Lint / Run Vet Tests (1.23.x) (push) Failing after -35m20s Details Build , Vet Test, and Lint / Run Vet Tests (1.24.x) (push) Failing after -35m20s Details Build , Vet Test, and Lint / Lint Code (push) Failing after -35m20s Details Build , Vet Test, and Lint / Build (push) Failing after -35m20s Details Tests / Unit Tests (push) Failing after -35m21s Details Tests / Integration Tests (push) Failing after -35m21s Details	2026-05-11 14:24:25 +02:00