Ransack

Search and filtering library for Ruby on Rails — translates HTTP params into ActiveRecord scopes using predicate-based DSL. Ransack params: `q[name_cont]=foo` (name contains), `q[status_eq]=active` (equals), `q[created_at_gteq]=2024-01-01` (greater-than-or-equal), `q[s]=name+asc` (sort). Controller: `@q = Agent.ransack(params[:q]); @agents = @q.result`. View helpers: `sort_link(@q, :name)` for sortable column headers. Supports associations (q[user_email_cont]), custom ransackers for computed attributes, and form helpers for search form generation. Successor to MetaSearch.

Evaluated Mar 06, 2026 (0d ago) v4.x
Homepage ↗ Repo ↗ Developer Tools ruby rails search filter sort activerecord predicates query-builder
⚙ Agent Friendliness
63
/ 100
Can an agent use this?
🔒 Security
84
/ 100
Is it safe for agents?
⚡ Reliability
80
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
85
Error Messages
78
Auth Simplicity
88
Rate Limits
92

🔒 Security

TLS Enforcement
88
Auth Strength
82
Scope Granularity
85
Dep. Hygiene
85
Secret Handling
82

Ransack is a common source of Rails security vulnerabilities — always whitelist ransackable_attributes to prevent unauthorized column access. Never allow search on password_digest, api_key, or other sensitive agent model attributes. Use ransackable_associations to control which relations are searchable.

⚡ Reliability

Uptime/SLA
85
Version Stability
80
Breaking Changes
75
Error Recovery
82
AF Security Reliability

Best When

You're building Rails admin interfaces or list views that need user-controllable search, filtering, and sorting — Ransack eliminates boilerplate query-building code with declarative params.

Avoid When

You need full-text search with relevance, faceted search, or your search logic is complex enough to require custom SQL that doesn't fit Ransack's predicate model.

Use Cases

  • Agent list search and filter UI — Ransack params q[name_cont] and q[status_eq] power agent admin search form; @q = Agent.ransack(params[:q]) generates safe SQL WHERE clauses from user input
  • Sortable agent tables — sort_link(@q, :name) Ransack view helper generates sort links with direction toggle for agent management tables without custom controller logic
  • Multi-field agent search — q[name_or_description_cont]=keyword searches across multiple agent attributes with single OR query; Ransack generates optimized SQL LIKE clause
  • Association-based agent filtering — q[user_email_cont]=@company.com filters agents by owner email through belongs_to association without explicit joins in controller
  • Date range filtering for agent analytics — q[created_at_gteq]=2024-01-01&q[created_at_lteq]=2024-12-31 generates BETWEEN clause for agent creation date range filtering in reporting views

Not For

  • Full-text search — Ransack uses SQL LIKE for contains predicate; for full-text agent search with relevance ranking, use Searchkick (Elasticsearch) or pg_search (PostgreSQL full-text)
  • Complex custom search logic — Ransack's predicate system handles common cases; for agent search with custom scoring, facets, or multi-index search, use dedicated search engines
  • APIs without form-based search — Ransack's param naming convention (q[field_predicate]) is designed for form submission; for programmatic agent API search, GraphQL filters or custom scopes are cleaner

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

No auth — Ransack builds scopes from params. Ransackable attributes/associations must be explicitly whitelisted to prevent unauthorized access to hidden columns.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Ransack is MIT licensed. Free for all use.

Agent Metadata

Pagination
offset
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • ransackable_attributes whitelist required in Rails 6.1+ — Ransack 4.x requires explicit def self.ransackable_attributes; omitting it raises Ransack::UnauthorizedSearch for all searches; add class method to Agent model listing allowed search attributes or all searches fail
  • Sorting by virtual attributes requires custom ransacker — sort_link on computed attributes (agent.display_name derived from first_name + last_name) needs ransacker(:display_name) { Arel.sql("first_name || ' ' || last_name") }; sort on undefined ransacker silently falls back to default sort causing confusing agent list ordering
  • result(distinct: true) required for association searches — searching through has_many associations produces duplicate rows without .result(distinct: true); agent search q[tags_name_cont]=ml returns duplicate agent rows for agents with multiple matching tags; always use distinct: true for association predicates
  • Ransack params are user-controlled — q[admin_eq]=true could expose admin column if ransackable_attributes includes :admin; always whitelist only searchable agent attributes; never expose sensitive columns (api_key, password_digest) in ransackable_attributes
  • Predicate combinations are AND by default — multiple q[] params use AND logic; Ransack groupings (q[g][0][m]=or) enable OR across groups but syntax is complex; for agent search needing OR across multiple fields, use q[name_or_description_cont] combinator syntax instead of groupings
  • 4.x changed default strictness — Ransack 4.0 changed default to strict mode raising errors on unauthorized attributes; upgrading from 3.x may break agent search forms that relied on silent ignore behavior; audit all Ransack usage and add ransackable_attributes to every searched model before upgrading

Alternatives

searchkick-api pg-search-api elasticsearch-rails-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Ransack.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5208
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered