camaleon_cms 2.9.0 → 2.9.2

data/app/helpers/camaleon_cms/html_helper.rb

@@ -140,7 +140,21 @@ module CamaleonCms
 
     # execute translation for value if this value is like: t(admin.my_text) ==> My Text
     def cama_print_i18n_value(value)
-      value.start_with?('t(') ? eval(value.sub('t(', 'I18n.t(')) : value
+      return value unless value.is_a?(String)
+      return value unless value.start_with?('t(') && value.end_with?(')')
+
+      # Use an exclusive end index to strip the trailing ')' without nil-coercion.
+      key = value[2...-1].strip
+      # If the expression uses matching single/double quotes, unwrap the key before translation;
+      # the quoted form still only accepts simple i18n key characters: a-z, A-Z, 0-9, _, ., and -.
+      quoted_key_match = key.match(/\A(['"])([a-zA-Z0-9_.-]+)\1\z/)
+      key = quoted_key_match[2] if quoted_key_match
+
+      # Only translate simple i18n keys so arbitrary Ruby is never evaluated.
+      # Allowed chars: a-z, A-Z, 0-9, _, ., and -.
+      return value unless key.match?(/\A[a-zA-Z0-9_.-]+\z/)
+
+      I18n.t(key)
     end
   end
 end

data/app/helpers/camaleon_cms/session_helper.rb

@@ -26,7 +26,7 @@ module CamaleonCms
       if redirect_url.present?
         redirect_to redirect_url
       elsif (return_to = cookies.delete(:return_to)).present?
-        redirect_to return_to
+        redirect_to safe_redirect_url(return_to) || cama_admin_dashboard_path
       else
         redirect_to cama_admin_dashboard_path
       end
@@ -167,6 +167,18 @@ module CamaleonCms
 
     private
 
+    # validate redirect url to prevent open redirect attacks
+    def safe_redirect_url(url)
+      return if url.blank?
+
+      uri = URI.parse(url)
+      return if uri.host.present? && uri.host != request.host
+
+      url
+    rescue URI::InvalidURIError
+      nil
+    end
+
     # calculate the current user for API
     def cama_calc_api_current_user
       begin

data/app/helpers/camaleon_cms/site_helper.rb

@@ -2,9 +2,21 @@ module CamaleonCms
   module SiteHelper
     # return current site or assign a site as a current site
     def current_site(site = nil)
-      @current_site = site.decorate if site.present?
-      return $current_site if defined?($current_site)
-      return @current_site if defined?(@current_site)
+      if site.present?
+        @current_site = site.decorate
+        CurrentRequest.site = @current_site
+        return @current_site
+      end
+
+      if defined?($current_site)
+        CurrentRequest.site = $current_site
+        return $current_site
+      end
+
+      if defined?(@current_site) && @current_site.present?
+        CurrentRequest.site = @current_site
+        return @current_site
+      end
 
       if PluginRoutes.get_sites.size == 1
         site = begin
@@ -35,6 +47,7 @@ module CamaleonCms
         Rails.logger.error 'Camaleon CMS - Please define your current site: $current_site = CamaleonCms::Site.first.decorate or map your domains: https://camaleon.website/documentation/category/139779-examples/how.html'.cama_log_style(:red)
       end
       @current_site = r[:site]
+      CurrentRequest.site = @current_site
     end
 
     # return current theme model for current site

data/app/helpers/camaleon_cms/uploader_helper.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require 'net/http'
+require 'tempfile'
+
 module CamaleonCms
   module UploaderHelper
     UNSAFE_EVENT_PATTERNS = %w[
@@ -80,21 +83,18 @@ module CamaleonCms
         thumb_size: nil
       }.merge!(settings)
       hooks_run('before_upload', settings)
-      res = { error: nil }
 
       # guard against path traversal
       return { error: 'Invalid file path' } unless cama_uploader.valid_folder_path?(settings[:folder])
 
       # formats validations
-      return { error: "#{ct('file_format_error')} (#{settings[:formats]})" } unless cama_uploader.class.validate_file_format(
-        uploaded_io.path, settings[:formats]
-      )
+      err = validate_file_format_or_error(uploaded_io.path, settings[:formats])
+      return err if err
 
       # file size validations
       if settings[:maximum] < settings[:file_size]
-        res[:error] =
-          "#{ct('file_size_exceeded', default: 'File size exceeded')} (#{number_to_human_size(settings[:maximum])})"
-        return res
+        max_size = number_to_human_size(settings[:maximum])
+        return { error: "#{ct('file_size_exceeded', default: 'File size exceeded')} (#{max_size})" }
       end
       # save file
       key = File.join(settings[:folder], settings[:filename]).to_s.cama_fix_slash
@@ -120,9 +120,7 @@ module CamaleonCms
       hooks_run('after_upload', settings)
 
       # temporal file upload (always put as local for temporal files)
-      if settings[:temporal_time] > 0
-        CamaleonCmsUploader.delete_block.call(settings, cama_uploader, key)
-      end
+      CamaleonCmsUploader.delete_block.call(settings, cama_uploader, key) if settings[:temporal_time] > 0
 
       res
     end
@@ -131,9 +129,8 @@ module CamaleonCms
     # key: key of the current file
     # the thumbnail will be saved in my_images/my_img.png => my_images/thumb/my_img.png
     def cama_uploader_generate_thumbnail(uploaded_io, key, thumb_size = nil, remove_source = false)
-      w = cama_uploader.thumb[:w]
-      h = cama_uploader.thumb[:h]
-      w, h = thumb_size.split('x') if thumb_size.present?
+      w = thumb_size.present? ? thumb_size.split('x')[0] : cama_uploader.thumb[:w]
+      h = thumb_size.present? ? thumb_size.split('x')[1] : cama_uploader.thumb[:h]
       uploaded_io = File.open(uploaded_io) if uploaded_io.is_a?(String)
       path_thumb = cama_resize_and_crop(uploaded_io.path, w, h)
       thumb = cama_uploader.add_file(path_thumb, cama_uploader.version_path(key).sub('.svg', '.jpg'), is_thumb: true,
@@ -187,11 +184,10 @@ module CamaleonCms
     #   (false => crop the image with this dimension)
     # replace: Boolean (replace current image or create another file)
     def cama_crop_image(file_path, w = nil, h = nil, w_offset = 0, h_offset = 0, resize = false, replace = true)
-      force = ''
-      force = '!' if w.present? && h.present? && !w.include?('?') && !h.include?('?')
+      force = w.present? && h.present? && !w.include?('?') && !h.include?('?') ? '!' : ''
       img = MiniMagick::Image.open(file_path)
-      w = img[:width].to_f > w.sub('?', '').to_i ? w.sub('?', '') : img[:width] if w.present? && w.to_s.include?('?')
-      h = img[:height].to_f > h.sub('?', '').to_i ? h.sub('?', '') : img[:height] if h.present? && h.to_s.include?('?')
+      w = clamp_to_image_dimension(w, img[:width])
+      h = clamp_to_image_dimension(h, img[:height])
       data = { img: img, w: w, h: h, w_offset: w_offset, h_offset: h_offset, resize: resize, replace: replace }
       hooks_run('before_crop_image', data)
       data[:img].combine_options do |i|
@@ -199,11 +195,8 @@ module CamaleonCms
         i.crop "#{w if w.present?}x#{h if h.present?}+#{w_offset}+#{h_offset}#{force}" unless data[:resize]
       end
 
-      res = file_path
-      unless data[:replace]
-        ext = File.extname(file_path)
-        res = file_path.gsub(ext, "_crop#{ext}")
-      end
+      ext = File.extname(file_path)
+      res = data[:replace] ? file_path : file_path.gsub(ext, "_crop#{ext}")
       data[:img].write res
       res
     end
@@ -228,8 +221,8 @@ module CamaleonCms
         file.sub! '.svg', '.jpg'
         settings[:output_name]&.sub!('.svg', '.jpg')
       end
-      w = img[:width].to_f > w.sub('?', '').to_i ? w.sub('?', '') : img[:width] if w.present? && w.to_s.include?('?')
-      h = img[:height].to_f > h.sub('?', '').to_i ? h.sub('?', '') : img[:height] if h.present? && h.to_s.include?('?')
+      w = clamp_to_image_dimension(w, img[:width])
+      h = clamp_to_image_dimension(h, img[:height])
       w_original = img[:width].to_f
       h_original = img[:height].to_f
       w = w.to_i if w.present?
@@ -280,41 +273,50 @@ module CamaleonCms
       tmp_path = args[:path] || File.join(Rails.public_path, 'tmp', current_site.id.to_s).to_s
       FileUtils.mkdir_p(tmp_path) unless Dir.exist?(tmp_path)
       saved = false
+      downloaded_tmp_file = nil
       if uploaded_io.is_a?(String) && uploaded_io.start_with?('data:') # create tmp file using base64 format
         _tmp_name = args[:name]
         return { error: cama_t('camaleon_cms.admin.media.name_required').to_s } unless params[:name].present?
-        return { error: "#{ct('file_format_error')} (#{args[:formats]})" } unless cama_uploader.class.validate_file_format(
-          _tmp_name, args[:formats]
-        )
+
+        err = validate_file_format_or_error(_tmp_name, args[:formats])
+        return err if err
 
         path = uploader_verify_name(File.join(tmp_path, _tmp_name))
         File.open(path, 'wb') { |f| f.write(Base64.decode64(uploaded_io.split(';base64,').last)) }
         uploaded_io = File.open(path)
         saved = true
       elsif uploaded_io.is_a?(String) && (uploaded_io.start_with?('http://') || uploaded_io.start_with?('https://'))
-        return { error: "#{ct('file_format_error')} (#{args[:formats]})" } unless cama_uploader.class.validate_file_format(
-          uploaded_io, args[:formats]
-        )
+        err = validate_file_format_or_error(uploaded_io, args[:formats])
+        return err if err
 
         if uploaded_io.include?(current_site.the_url(locale: nil))
           uploaded_io = File.join(Rails.public_path, uploaded_io.sub(current_site.the_url(locale: nil), '')).to_s
+        else
+          remote_file = cama_download_remote_file(uploaded_io)
+          return remote_file if remote_file[:error].present?
+
+          downloaded_tmp_file = remote_file[:file]
+          uploaded_io = downloaded_tmp_file
         end
-        _tmp_name = uploaded_io.split('/').last.split('?').first
+        _tmp_name = if uploaded_io.is_a?(String)
+                      uploaded_io.split('/').last.split('?').first
+                    else
+                      uploaded_io.path.split('/').last
+                    end
         args[:name] = args[:name] || _tmp_name
-        uploaded_io = URI(uploaded_io).open
       end
       uploaded_io = File.open(uploaded_io) if uploaded_io.is_a?(String)
-      return { error: "#{ct('file_format_error')} (#{args[:formats]})" } unless cama_uploader.class.validate_file_format(
-        _tmp_name || uploaded_io.path, args[:formats]
-      )
+      err = validate_file_format_or_error(_tmp_name || uploaded_io.path, args[:formats])
+      return err if err
 
-      if args[:maximum].present? && args[:maximum] < begin
+      actual_size = begin
         uploaded_io.size
       rescue StandardError
         File.size(uploaded_io)
       end
-        return { error: "#{ct('file_size_exceeded',
-                              default: 'File size exceeded')} (#{number_to_human_size(args[:maximum])})" }
+      if args[:maximum].present? && args[:maximum] < actual_size
+        max_size = number_to_human_size(args[:maximum])
+        return { error: "#{ct('file_size_exceeded', default: 'File size exceeded')} (#{max_size})" }
       end
 
       name = args[:name] || uploaded_io&.original_filename || uploaded_io.path.split('/').last
@@ -323,14 +325,17 @@ module CamaleonCms
       File.open(path, 'wb') { |f| f.write(uploaded_io.read) } unless saved
       path = cama_resize_upload(path, args[:dimension]) if args[:dimension].present?
       { file_path: path, error: nil }
+    ensure
+      downloaded_tmp_file&.close!
     end
 
     # resize image if the format is correct
     # return resized file path
     def cama_resize_upload(image_path, dimension, args = {})
       if cama_uploader.class.validate_file_format(image_path, 'image') && dimension.present?
-        r = { file: image_path, w: dimension.split('x')[0], h: dimension.split('x')[1], w_offset: 0, h_offset: 0,
-              resize: !dimension.split('x')[2] || dimension.split('x')[2] == 'resize',
+        dim_parts = dimension.split('x')
+        r = { file: image_path, w: dim_parts[0], h: dim_parts[1], w_offset: 0, h_offset: 0,
+              resize: !dim_parts[2] || dim_parts[2] == 'resize',
               replace: true, gravity: :north_east }.merge!(args)
         hooks_run('on_uploader_resize', r)
         image_path = if r[:w].present? && r[:h].present?
@@ -355,25 +360,20 @@ module CamaleonCms
             secret_key: current_site.get_option('filesystem_s3_secret_key'),
             bucket: current_site.get_option('filesystem_s3_bucket_name'),
             cloud_front: current_site.get_option('filesystem_s3_cloudfront'),
-            aws_file_upload_settings: lambda { |settings|
-                                        settings
-                                      }, # permit to add your custom attributes for file_upload https://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Object.html#upload_file-instance_method
-            aws_file_read_settings: lambda { |data, _s3_file|
-                                      data
-                                    } # permit to read custom attributes from aws file and add to file parsed object
+            aws_file_upload_settings: ->(settings) { settings }, # permit to add your custom attributes for file_upload https://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Object.html#upload_file-instance_method
+            aws_file_read_settings: ->(data, _s3_file) { data } # permit to read custom attributes from aws file and add to file parsed object
           },
           custom_uploader: nil # possibility to use custom file uploader
         }
         hooks_run('on_uploader', args)
         return args[:custom_uploader] if args[:custom_uploader].present?
 
+        base_args = { current_site: current_site, thumb: args[:thumb] }
         case args[:server]
         when 's3', 'aws'
-          CamaleonCmsAwsUploader.new(
-            { current_site: current_site, thumb: args[:thumb], aws_settings: args[:aws_settings] }, self
-          )
+          CamaleonCmsAwsUploader.new(base_args.merge(aws_settings: args[:aws_settings]), self)
         else
-          CamaleonCmsLocalUploader.new({ current_site: current_site, thumb: args[:thumb] }, self)
+          CamaleonCmsLocalUploader.new(base_args, self)
         end
       }.call
     end
@@ -384,19 +384,58 @@ module CamaleonCms
 
     def slugify_folder(val)
       split_folder = val.split('/')
-      split_folder[-1] = slugify(split_folder.last)
+      split_folder[-1] = slugify(split_folder[-1])
       split_folder.join('/')
     end
 
     private
 
+    # Download remote files with SSRF guardrails: validate host/IP and reject redirects.
+    # NOTE: UserUrlValidator.validate is intentionally called here even though the
+    # crop_url controller path may have already validated the URL — this ensures
+    # every caller of cama_tmp_upload is protected (defense-in-depth).
+    def cama_download_remote_file(url)
+      validation_result = UserUrlValidator.validate(url)
+      return { error: validation_result.join(', ') } if validation_result.is_a?(Array)
+
+      uri = URI.parse(url)
+      response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
+        http.open_timeout = 10
+        http.read_timeout = 10
+        http.request(Net::HTTP::Get.new(uri.request_uri.presence || '/'))
+      end
+
+      return { error: 'Redirects are not allowed for remote uploads.' } if response.is_a?(Net::HTTPRedirection)
+
+      return { error: "Unable to download remote file (HTTP #{response.code})." } unless response.is_a?(Net::HTTPSuccess)
+
+      # Enforce the site's maximum upload size to prevent memory exhaustion from oversized responses.
+      max_bytes = current_site.get_option('filesystem_max_size', 100).to_f.megabytes
+      body = response.body
+      if body.bytesize > max_bytes
+        return { error: "Remote file too large (max #{ActiveSupport::NumberHelper.number_to_human_size(max_bytes)})." }
+      end
+
+      ext = File.extname(uri.path.to_s)
+      tempfile = Tempfile.new(['cama-upload-url', ext], binmode: true)
+      tempfile.write(body)
+      tempfile.rewind
+      { file: tempfile, error: nil }
+    rescue StandardError => e
+      { error: "Unable to download remote file: #{ERB::Util.html_escape(e.message)}" }
+    end
+
     def file_content_unsafe?(uploaded_io)
       file = uploaded_io.is_a?(ActionDispatch::Http::UploadedFile) ? uploaded_io.tempfile : uploaded_io
       file_content_unsafe = nil
 
       file.set_encoding(Encoding::BINARY) if file.respond_to?(:binmode) && file.respond_to?(:set_encoding)
 
+      # Read the file for pattern scanning, then rewind so subsequent consumers
+      # (e.g. upload handlers) can read the full content. Failing to rewind
+      # resulted in 0-byte uploads when the file was a Tempfile (see report).
       file_content = file.read
+      file.rewind if file.respond_to?(:rewind)
       SUSPICIOUS_PATTERNS.each do |pattern|
         if file_content =~ pattern
           Rails.logger.info { "Potentially malicious content found: #{pattern.inspect}" }
@@ -432,5 +471,17 @@ module CamaleonCms
     def cama_parse_for_thumb_name(file_path)
       "#{@fog_connection_hook_res[:thumb_folder_name]}/#{File.basename(file_path).parameterize}#{File.extname(file_path)}"
     end
+
+    def clamp_to_image_dimension(value, img_size)
+      return value unless value.present? && value.to_s.include?('?')
+
+      img_size.to_f > value.sub('?', '').to_i ? value.sub('?', '') : img_size
+    end
+
+    def validate_file_format_or_error(file, formats)
+      return if cama_uploader.class.validate_file_format(file, formats)
+
+      { error: "#{ct('file_format_error')} (#{formats})" }
+    end
   end
 end

data/app/models/camaleon_cms/ability.rb

@@ -12,9 +12,16 @@ module CamaleonCms
         can :read, :all
       else
         # conditions:
-        current_user_role = user.get_role(current_site) || current_site.user_roles.new
-        @roles_manager ||= current_user_role.get_meta("_manager_#{current_site.id}", {}) || {}
-        @roles_post_type ||= current_user_role.get_meta("_post_type_#{current_site.id}", {}) || {}
+        # Fetch the role record fresh from the database for the current site to
+        # ensure up-to-date role meta (avoid stale cached role objects during
+        # tests or runtime meta updates).
+        current_user_role = if current_site.present?
+                              current_site.user_roles.where(slug: user.role).first
+                            else
+                              user.get_role(current_site)
+                            end || current_site.user_roles.new
+        @roles_manager = current_user_role.get_meta("_manager_#{current_site.id}", {}) || {}
+        @roles_post_type = current_user_role.get_meta("_post_type_#{current_site.id}", {}) || {}
 
         ids_publish = @roles_post_type[:publish] || []
         ids_edit = @roles_post_type[:edit] || []
@@ -24,83 +31,45 @@ module CamaleonCms
         ids_delete_other = @roles_post_type[:delete_other] || []
         ids_delete_publish = @roles_post_type[:delete_publish] || []
 
-        can :posts, CamaleonCms::PostType do |pt|
+        safe_can :posts, CamaleonCms::PostType do |pt|
           (ids_edit + ids_edit_other + ids_edit_publish).to_i.include?(pt.id)
-        rescue StandardError
-          false
         end
 
-        can :create_post, CamaleonCms::PostType do |pt|
+        safe_can :create_post, CamaleonCms::PostType do |pt|
           ids_edit.to_i.include?(pt.id)
-        rescue StandardError
-          false
         end
-        can :publish_post, CamaleonCms::PostType do |pt|
+        safe_can :publish_post, CamaleonCms::PostType do |pt|
           ids_publish.to_i.include?(pt.id)
-        rescue StandardError
-          false
         end
-        can :edit_other, CamaleonCms::PostType do |pt|
+        safe_can :edit_other, CamaleonCms::PostType do |pt|
           ids_edit_other.to_i.include?(pt.id)
-        rescue StandardError
-          false
         end
-        can :edit_publish, CamaleonCms::PostType do |pt|
+        safe_can :edit_publish, CamaleonCms::PostType do |pt|
           ids_edit_publish.to_i.include?(pt.id)
-        rescue StandardError
-          false
         end
 
-        can :categories, CamaleonCms::PostType do |pt|
+        safe_can :categories, CamaleonCms::PostType do |pt|
           @roles_post_type[:manage_categories].to_i.include?(pt.id)
-        rescue StandardError
-          false
         end
-        can :post_tags, CamaleonCms::PostType do |pt|
+        safe_can :post_tags, CamaleonCms::PostType do |pt|
           @roles_post_type[:manage_tags].to_i.include?(pt.id)
-        rescue StandardError
-          false
         end
 
-        can :update, CamaleonCms::Post do |post|
+        safe_can :update, CamaleonCms::Post do |post|
           pt_id = post.post_type.id
           r = false
-          r ||= begin
-            ids_edit.to_i.include?(pt_id) && post.user_id == user.id
-          rescue StandardError
-            false
-          end
-          r ||= begin
-            ids_edit_publish.to_i.include?(pt_id) && post.published?
-          rescue StandardError
-            false
-          end
-          r ||= begin
-            ids_edit_other.to_i.include?(pt_id) && post.user_id != user.id
-          rescue StandardError
-            false
-          end
+          r ||= ids_edit.to_i.include?(pt_id) && post.user_id == user.id
+          r ||= ids_edit_publish.to_i.include?(pt_id) && post.published?
+          r ||= ids_edit_other.to_i.include?(pt_id) && post.user_id != user.id
           r
         end
 
-        can :destroy, CamaleonCms::Post do |post|
+        safe_can :destroy, CamaleonCms::Post do |post|
           pt_id = post.post_type.id
           r = false
-          r ||= begin
-            ids_delete.to_i.include?(pt_id) && post.user_id == user.id
-          rescue StandardError
-            false
-          end
-          r ||= begin
-            ids_delete_publish.to_i.include?(pt_id) && post.published?
-          rescue StandardError
-            false
-          end
-          r ||= begin
-            ids_delete_other.to_i.include?(pt_id) && post.user_id != user.id
-          rescue StandardError
-            false
-          end
+          r ||= ids_delete.to_i.include?(pt_id) && post.user_id == user.id
+          r ||= ids_delete_publish.to_i.include?(pt_id) && post.published?
+          r ||= ids_delete_other.to_i.include?(pt_id) && post.user_id != user.id
           r
         end
 
@@ -109,59 +78,17 @@ module CamaleonCms
         @roles_post_type.each do |k, v|
           next if %w[edit edit_other edit_publish publish manage_categories].include?(k.to_s)
 
-          can k.to_sym, CamaleonCms::PostType do |pt|
+          safe_can k.to_sym, CamaleonCms::PostType do |pt|
             v.include?(pt.id.to_s)
-          rescue StandardError
-            false
           end
         end
 
         # others
-        begin
-          can :manage, :media if @roles_manager[:media]
-        rescue StandardError
-          false
-        end
-        begin
-          can :manage, :comments if @roles_manager[:comments]
-        rescue StandardError
-          false
-        end
-        # can :manage, :forms     if @roles_manager[:forms] rescue false
-        begin
-          can :manage, :themes if @roles_manager[:themes]
-        rescue StandardError
-          false
-        end
-        begin
-          can :manage, :widgets if @roles_manager[:widgets]
-        rescue StandardError
-          false
-        end
-        begin
-          can :manage, :nav_menu if @roles_manager[:nav_menu]
-        rescue StandardError
-          false
-        end
-        begin
-          can :manage, :plugins if @roles_manager[:plugins]
-        rescue StandardError
-          false
-        end
-        begin
-          can :manage, :users if @roles_manager[:users]
-        rescue StandardError
-          false
-        end
-        begin
-          can :manage, :settings if @roles_manager[:settings]
-        rescue StandardError
-          false
+        %i[media comments themes widgets nav_menu plugins users settings custom_fields select_eval].each do |manager_key|
+          safe_can :manage, manager_key if @roles_manager[manager_key]
         end
         @roles_manager.try(:each) do |rol_manage_key, val_role|
-          can :manage, rol_manage_key.to_sym if val_role.to_s.cama_true?
-        rescue StandardError
-          false
+          safe_can :manage, rol_manage_key.to_sym if val_role.to_s.cama_true?
         end
       end
       cannot :impersonate, CamaleonCms::User do |u|
@@ -182,5 +109,30 @@ module CamaleonCms
     def cannot?(*args)
       !can?(*args)
     end
+
+    private
+
+    # Wraps a can rule with block-level exception handling.
+    # Blocks are evaluated later during authorization checks (can? calls), so exceptions
+    # from accessing post properties, role metadata, etc. must be caught here to fail closed.
+    # Non-block calls (e.g., can :manage, :symbol) do not need wrapping; can itself is safe.
+    def safe_can(action, subject, &block)
+      if block_given?
+        can(action, subject) do |resource|
+          safely_false { block.call(resource) }
+        end
+      else
+        # No block: can(action, subject) does not evaluate user logic; safe to call directly.
+        can(action, subject)
+      end
+    end
+
+    # Fails closed for permission checks when role/post metadata is malformed.
+    # Used by safe_can to guard block evaluation during authorization checks.
+    def safely_false
+      yield
+    rescue StandardError
+      false
+    end
   end
 end

data/app/models/camaleon_cms/category.rb

@@ -1,5 +1,7 @@
 module CamaleonCms
   class Category < CamaleonCms::TermTaxonomy
+    normalize_attrs(:name, :description)
+
     alias_attribute :site_id, :term_group
     alias_attribute :post_type_id, :status
 

data/app/models/camaleon_cms/custom_field.rb

@@ -25,6 +25,7 @@ module CamaleonCms
                                    unless: ->(o) { o.is_a?(CamaleonCms::CustomFieldGroup) }
 
     before_validation :before_validating
+    before_update :check_select_eval_authorization
 
     private
 
@@ -32,5 +33,18 @@ module CamaleonCms
       self.slug ||= name
       self.slug = slug.to_s.parameterize
     end
+
+    # Prevent unauthorized modification of field_key to select_eval
+    def check_select_eval_authorization
+      return unless respond_to?(:options) && options.present?
+
+      # Check if field_key is being changed to select_eval
+      return unless options[:field_key] == 'select_eval'
+      # Allow if user has explicit permission
+      return if can?(:manage, :select_eval)
+
+      errors.add(:base, 'Not authorized to create or modify select_eval fields')
+      throw :abort
+    end
   end
 end