fix: search improve

binaryk · binaryk · commit 632d3c25745d · 2025-08-28T13:48:34.000+03:00
diff --git a/UPGRADING.md b/UPGRADING.md
@@ -119,6 +119,52 @@ class UserRepository extends Repository
 
 This change is also **100% backward compatible** - existing static arrays continue to work perfectly.
 
+## Breaking Changes
+
+### Default Search Behavior Change
+
+🚨 **Breaking Change**: In version 10, repositories no longer search by the model's primary key (ID) by default when no searchable fields are defined.
+
+**Before (v9 and earlier):**
+```php
+class UserRepository extends Repository
+{
+    // No $search property defined
+    // Automatically searched by 'id' field by default
+}
+```
+
+**After (v10):**
+```php
+class UserRepository extends Repository
+{
+    // No $search property defined
+    // No searchable fields available - search returns empty results
+}
+```
+
+**To maintain the previous behavior**, add this method to your Repository parent class or individual repositories:
+
+```php
+public static function searchables(): array
+{
+    return empty(static::$search)
+        ? [static::newModel()->getKeyName()]
+        : static::$search;
+}
+```
+
+**Why this change was made:**
+- **Security**: Prevents unintended ID-based searches on sensitive repositories
+- **Explicit configuration**: Forces developers to explicitly define searchable fields
+- **Performance**: Avoids unnecessary database queries when search isn't intended
+- **Consistency**: Aligns with the principle of explicit over implicit behavior
+
+**Migration strategy:**
+1. **Immediate fix**: Add the `searchables()` method to your base Repository class to restore v9 behavior globally
+2. **Recommended approach**: Review each repository and explicitly define `$search` arrays with appropriate fields
+3. **Security review**: Consider which repositories should actually be searchable and by which fields
+
 ### Configuration File Updates
 
 When upgrading to v10, it's important to ensure your local `config/restify.php` file includes all the new configuration options that have been added.
diff --git a/src/Filters/SearchableFilter.php b/src/Filters/SearchableFilter.php
@@ -27,7 +27,9 @@ public function filter(RestifyRequest $request, $query, $value)
         $likeOperator = $connectionType == 'pgsql' ? 'ilike' : 'like';
 
         if (isset($this->belongsToField)) {
+            ray('Searching through BelongsTo relation');
             if (! $this->belongsToField->authorize($request)) {
+                ray('BelongsTo field not authorized for this request, skipping search.');
                 return $query;
             }
 
diff --git a/src/Filters/SearchablesCollection.php b/src/Filters/SearchablesCollection.php
@@ -28,14 +28,8 @@ public function __construct($items = [])
             } elseif ($searchable instanceof Filter) {
                 // Other Filter instance - keep it
                 $unified[] = $searchable;
-            } elseif (is_callable($searchable)) {
-                // Closure or invokable - create SearchableFilter with closure
-                $filter = new SearchableFilter;
-                $filter->usingClosure($searchable);
-                $filter->setColumn(is_string($key) && ! is_numeric($key) ? $key : 'unknown');
-                $unified[] = $filter;
             } elseif (is_string($searchable)) {
-                // String column name
+                // String column name (including string callables like "MyClass::method")
                 $filter = new SearchableFilter;
                 $filter->setColumn($searchable);
                 $unified[] = $filter;
@@ -44,6 +38,12 @@ public function __construct($items = [])
                 $filter = new SearchableFilter;
                 $filter->setColumn($key);
                 $unified[] = $filter;
+            } elseif (is_callable($searchable)) {
+                // Non-string callables (closures, arrays, invokables)
+                $filter = new SearchableFilter;
+                $filter->usingClosure($searchable);
+                $filter->setColumn(is_string($key) && ! is_numeric($key) ? $key : 'unknown');
+                $unified[] = $filter;
             }
         }
 
diff --git a/src/Repositories/Repository.php b/src/Repositories/Repository.php
@@ -125,7 +125,7 @@ class Repository implements JsonSerializable, RestifySearchable
     /**
      * The list of searchable fields.
      */
-    public static array $search;
+    public static array $search = [];
 
     /**
      * The list of matchable fields.
diff --git a/src/Traits/InteractWithSearch.php b/src/Traits/InteractWithSearch.php
@@ -27,9 +27,7 @@ trait InteractWithSearch
 
     public static function searchables(): array
     {
-        return empty(static::$search)
-            ? [static::newModel()->getKeyName()]
-            : static::$search;
+        return static::$search;
     }
 
     public static function withs(): array

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,9 @@ public function filter(RestifyRequest $request, $query, $value)`
`27`	`27`	`$likeOperator = $connectionType == 'pgsql' ? 'ilike' : 'like';`
`28`	`28`
`29`	`29`	`if (isset($this->belongsToField)) {`
	`30`	`+ ray('Searching through BelongsTo relation');`
`30`	`31`	`if (! $this->belongsToField->authorize($request)) {`
	`32`	`+ ray('BelongsTo field not authorized for this request, skipping search.');`
`31`	`33`	`return $query;`
`32`	`34`	`}`
`33`	`35`
Original file line number	Diff line number	Diff line change
`@@ -27,9 +27,7 @@ trait InteractWithSearch`
`27`	`27`
`28`	`28`	`public static function searchables(): array`
`29`	`29`	`{`
`30`		`- return empty(static::$search)`
`31`		`- ? [static::newModel()->getKeyName()]`
`32`		`- : static::$search;`
	`30`	`+ return static::$search;`
`33`	`31`	`}`
`34`	`32`
`35`	`33`	`public static function withs(): array`