Inject bind variables in rails 4 with prepared_statements set to false (zooniverse#3139)

* ensure the travis disables prepared statements

non local envs disable prepared statements, manual SQL work relies on testing these code paths.

* disable prepared_statemetns for travis testing

* switch to sanitize the sql string vs use bind params

* replace named bind vars

use internal Sanitization method replace_named_bind_variables to safely inject the subject_set_id

* This is certainly one way to do it.

* test rails 5 AR code paths

* remove the panoptes rails5? method

Author: camallen

app/workers/subject_metadata_worker.rb

@@ -2,19 +2,43 @@ class SubjectMetadataWorker
   include Sidekiq::Worker
 
   def perform(subject_set_id)
-    update_sms_priority_sql = <<-SQL
-      UPDATE set_member_subjects
-      SET    priority = CAST(subjects.metadata->>'#priority' AS NUMERIC)
-      FROM   subjects
-      WHERE  subjects.id = set_member_subjects.subject_id
-      AND    subjects.metadata ? '#priority'
-      AND    set_member_subjects.subject_set_id = $1
-    SQL
-
-    ActiveRecord::Base.connection.exec_update(
-      update_sms_priority_sql,
-      "SQL",
-      [[nil, subject_set_id]]
-    )
+    if ActiveRecord::VERSION::MAJOR == 5
+      update_sms_priority_sql = <<-SQL
+        UPDATE set_member_subjects
+        SET    priority = CAST(subjects.metadata->>'#priority' AS NUMERIC)
+        FROM   subjects
+        WHERE  subjects.id = set_member_subjects.subject_id
+        AND    subjects.metadata ? '#priority'
+        AND    set_member_subjects.subject_set_id = $1
+      SQL
+      ActiveRecord::Base.connection.exec_update(
+        update_sms_priority_sql,
+        "SQL",
+        [[nil, subject_set_id]]
+      )
+    else
+      update_sms_priority_sql = <<-SQL
+        UPDATE set_member_subjects
+        SET    priority = CAST(subjects.metadata->>'#priority' AS NUMERIC)
+        FROM   subjects
+        WHERE  subjects.id = set_member_subjects.subject_id
+        AND    subjects.metadata ? '#priority'
+        AND    set_member_subjects.subject_set_id = :subject_set_id
+      SQL
+      # handle incorrect bind params for non preparted statements
+      # in exec_update, fixed in rails 5
+      # https://github.com/rails/rails/issues/24893
+      # https://github.com/rails/rails/issues/34183
+      bound_update_sms_priority_sql = ActiveRecord::Base.send(
+        :replace_named_bind_variables,
+        update_sms_priority_sql,
+        {subject_set_id: subject_set_id}
+      )
+      ActiveRecord::Base.connection.exec_update(
+        bound_update_sms_priority_sql,
+        "SQL",
+        []
+      )
+    end
   end
 end

config/database.yml.hudson

@@ -7,6 +7,7 @@ default: &default
   host: pg
   pool: 5
   port: 5432
+  prepared_statements: false
 
 development:
   <<: *default

lib/tasks/configure.rake

@@ -31,6 +31,7 @@ test:
   adapter: postgresql
   database: travis_ci_test
   username: postgres
+  prepared_statements: false
 YAML
 
     File.open('config/redis.yml', 'w') { |f| f.write(<<YAML) }

spec/workers/subject_metadata_worker_spec.rb

@@ -17,6 +17,16 @@
   end
 
   describe "#perform" do
+    # TODO: Rails 5 combine the tests to one
+    # to test behaviour not AR calling interface
+    it 'calls the correct RAILS 5 AR methods' do
+      stub_const("ActiveRecord::VERSION::MAJOR", 5)
+      expect(ActiveRecord::Base.connection)
+        .to receive(:exec_update)
+        .with(instance_of(String), "SQL",[[nil, subject_set.id]])
+      worker.perform(subject_set.id)
+    end
+
     it 'copies priority from metadata to SMS attribute' do
       worker.perform(subject_set.id)
       sms_one, sms_two, sms_three = SetMemberSubject.find(