DEPRECATION WARNING: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): "max(taggings.created_at)"

[aalbagarcia]

Hi,

I'm trying to upgrade our rails application to version 5.2. I'm using the fork from @Fodoj mentioned in pull request #887.

Using his pull request, the tests in our test suite which are related to acts-as-taggable-on are all back to green but we are getting a ton of deprecation warnings like the following:

DEPRECATION WARNING: Dangerous query method (method whose arguments are used as raw SQL) 
called with non-attribute argument(s): "max(taggings.created_at)". Non-attribute arguments will be 
disallowed in Rails 6.0. This method should not be called with user-provided values, such as request 
parameters or model attributes. Known-safe values can be passed by wrapping them in Arel.sql(). 
(called from all_tags_on at /opt/rubies/ruby-2.5.0/lib/ruby/gems/2.5.0/bundler/gems/acts-as-
taggable-on-8a4d41bc3107/lib/acts_as_taggable_on/taggable/core.rb:179)

I gave it a try so I replaced line 179 in lib/acts_as_taggable_on/taggable/core.rb:179

scope.order("max(#{tagging_table_name}.created_at)").group(group_columns)

with

scope.order(Arel.sql("max(#{tagging_table_name}.created_at)")).group(group_columns)

and the deprecation warnings went away.

[Fodoj]

I will try to add your fix today/tomorrow to my PR, thanks a lot. I will also updates deps to Rails 5.2, so it can be merged finally.

[aalbagarcia]

@Fodoj You are the one to thank!! Looking forward to see your PR finally merged. Thanks!!

[Fodoj]

@aalbagarcia I've introduced your fix, thanks a lot - #887.