Ransack 4.0 allowlist be an optional config

[gvkhna]

This allowlist enforcement actually needs to be able to be turned off. I understand the security protections trying to be put in place by this change. But for many apps it's not even needed, internal only apps that aren't even internet accessible don't need additional any additional attention. I can understand default requiring this but a simple config of some kind to turn it off would be needed as well.

TLDR: This was a breaking change and instituted quite abruptly, and so everyone probably is just pinning to the older version.

[sk-]

Another reason to offer an opt out mechanism is the performance degradation reported in #1462

[Tmpv]

The old behaviour is quite simple to implement and is actually mentioned in one of the tests implementing the new requirement.

But this is not mentioned in the official documentation.

[gvkhna]

@Tmpv Am i missing something, I added that to ApplicationRecord and I get undefined method authorizable_ransackable_attributes on a class that descends from ApplicationRecord?