com.onec.ui.WidgetFilter

public final class WidgetFilter extends Object

Parses an authored count/metric-card filter predicate into a safe SQL fragment with bound parameters. The grammar is deliberately small — a chain of field op value comparisons joined by AND — so a dashboard author can write config("filter", "status != cancelled") without the framework ever interpolating user text into SQL.

Injection safety rests on two rules: the left-hand side must be a known column (validated against the entity's columns plus a small system allowlist) matching a strict identifier pattern, and the right-hand value is always a bound parameter. An unrecognised column is skipped with a warning rather than failing the whole card, so a typo degrades to "no filter" instead of an error surface.

Nested Class Summary

Nested Classes

Modifier and Type

Class

Description

static final record

WidgetFilter.Result

A compiled predicate: a WHERE-ready fragment (no leading AND) and its bindings.
Method Summary

Modifier and Type

Method

Description

static WidgetFilter.Result

parse(String filter, Set<String> allowedColumns)

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details
- parse
  
  public static WidgetFilter.Result parse(String filter, Set<String> allowedColumns)
  
  Parameters:
  
  filter - the authored predicate, e.g. "status != cancelled AND _posted = true"
  
  allowedColumns - the entity's column names; the system allowlist is added automatically

Class WidgetFilter

Nested Class Summary

Method Summary

Methods inherited from class java.lang.Object

Method Details

parse