plutonium 0.62.0 â 0.62.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +18 -3
- data/SECURITY.md +57 -0
- data/lib/plutonium/resource/controllers/crud_actions.rb +13 -1
- data/lib/plutonium/version.rb +1 -1
- data/lib/plutonium/wizard/not_anchored_error.rb +8 -0
- data/lib/plutonium/wizard/{errors.rb â step_error.rb} +0 -8
- data/lib/plutonium/wizard/unknown_wizard_error.rb +10 -0
- data/lib/plutonium/wizard.rb +0 -1
- data/lib/tasks/release.rake +16 -0
- data/package.json +1 -1
- data/plutonium.gemspec +3 -0
- metadata +7 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1bf12b730a106a86a4944705ef1bfffe79d245e56b2585906f3b7787db9ead84
|
|
4
|
+
data.tar.gz: da3e1fc7f6d708abb473e1e18b53ea612181c2637480781b4423ce8af3d4e7e4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 49e628c86ad4fe1bcdb032bbcd773c4c26b4ad98626e977d1ae573e4c024245275f988609815b0ac0599d4a3077a1d2c0704b473a5c3b9f2a74491cb65cd6a12
|
|
7
|
+
data.tar.gz: df9ba22d2a3e1c1e3504f06c1c435ecccc22fc2712b651e03458677794edc3ee7c53ed64b40666a0278fc8e016dd1e71883011ddd4a3b8d519267b592b5bfdff
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,21 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
|
|
5
|
+
## [0.62.1] - 2026-07-07
|
|
6
|
+
|
|
7
|
+
### Bug Fixes
|
|
8
|
+
|
|
9
|
+
- Split grouped error classes into per-constant files
|
|
10
|
+
- Fall back to index when deleting from the record's own page
|
|
11
|
+
|
|
12
|
+
### Documentation
|
|
13
|
+
|
|
14
|
+
- Add SECURITY.md and auto-bump its version series on release
|
|
15
|
+
|
|
16
|
+
### Miscellaneous Tasks
|
|
17
|
+
|
|
18
|
+
- Require RubyGems MFA and disable CI auto-release
|
|
19
|
+
|
|
5
20
|
## [0.62.0] - 2026-07-04
|
|
6
21
|
|
|
7
22
|
### Bug Fixes
|
|
@@ -67,11 +82,11 @@ All notable changes to this project will be documented in this file.
|
|
|
67
82
|
|
|
68
83
|
## [0.60.5] - 2026-06-30
|
|
69
84
|
|
|
70
|
-
###
|
|
85
|
+
### Bug Fixes
|
|
71
86
|
|
|
72
|
-
-
|
|
87
|
+
- Coerce ActiveStorage::Filename to String for HTML title attributes
|
|
73
88
|
|
|
74
|
-
###
|
|
89
|
+
### Miscellaneous Tasks
|
|
75
90
|
|
|
76
91
|
- Update yarn.lock and .yarnrc.yml after yarn install
|
|
77
92
|
|
data/SECURITY.md
ADDED
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
We take the security of Plutonium seriously. Because Plutonium is a framework
|
|
4
|
+
that other applications are built on, a vulnerability here can affect many
|
|
5
|
+
downstream apps. We appreciate your help in disclosing issues responsibly.
|
|
6
|
+
|
|
7
|
+
## Supported Versions
|
|
8
|
+
|
|
9
|
+
Plutonium is pre-1.0 and evolving quickly. Security fixes are released against
|
|
10
|
+
the **latest published version** only. If you are running an older release,
|
|
11
|
+
please upgrade before reporting an issue to confirm it still reproduces.
|
|
12
|
+
|
|
13
|
+
| Version | Supported |
|
|
14
|
+
| ------- | ------------------ |
|
|
15
|
+
| Latest release (`0.62.x`) | :white_check_mark: |
|
|
16
|
+
| Older releases | :x: |
|
|
17
|
+
|
|
18
|
+
## Reporting a Vulnerability
|
|
19
|
+
|
|
20
|
+
**Please do not report security vulnerabilities through public GitHub issues,
|
|
21
|
+
discussions, or pull requests.**
|
|
22
|
+
|
|
23
|
+
Instead, use one of the following private channels:
|
|
24
|
+
|
|
25
|
+
- **Preferred:** [Open a private vulnerability report](https://github.com/radioactive-labs/plutonium-core/security/advisories/new)
|
|
26
|
+
via GitHub Security Advisories.
|
|
27
|
+
- **Email:** [sfroelich01@gmail.com](mailto:sfroelich01@gmail.com) with the
|
|
28
|
+
subject line `[SECURITY] Plutonium`.
|
|
29
|
+
|
|
30
|
+
To help us triage quickly, please include as much of the following as you can:
|
|
31
|
+
|
|
32
|
+
- The Plutonium version (and Rails version) affected.
|
|
33
|
+
- A description of the vulnerability and its impact.
|
|
34
|
+
- Steps to reproduce, or a proof-of-concept.
|
|
35
|
+
- Any known workarounds.
|
|
36
|
+
|
|
37
|
+
## What to Expect
|
|
38
|
+
|
|
39
|
+
- **Acknowledgement:** We aim to acknowledge your report within **3 business days**.
|
|
40
|
+
- **Assessment:** We will investigate and let you know whether the report is
|
|
41
|
+
accepted, along with our expected timeline for a fix.
|
|
42
|
+
- **Disclosure:** We follow a coordinated disclosure process. We will work with
|
|
43
|
+
you to agree on a disclosure date once a fix is available, and we are happy to
|
|
44
|
+
credit you in the advisory unless you prefer to remain anonymous.
|
|
45
|
+
|
|
46
|
+
Please give us a reasonable opportunity to address the issue before any public
|
|
47
|
+
disclosure.
|
|
48
|
+
|
|
49
|
+
## Scope
|
|
50
|
+
|
|
51
|
+
Security reports about the Plutonium framework code in this repository are in
|
|
52
|
+
scope. Issues in applications *built with* Plutonium, or in third-party
|
|
53
|
+
dependencies, should be reported to their respective maintainers â though if you
|
|
54
|
+
believe a dependency issue is triggered by how Plutonium uses it, we would like
|
|
55
|
+
to hear about it.
|
|
56
|
+
|
|
57
|
+
Thank you for helping keep Plutonium and its community safe.
|
|
@@ -212,13 +212,25 @@ module Plutonium
|
|
|
212
212
|
end
|
|
213
213
|
|
|
214
214
|
def redirect_url_after_destroy
|
|
215
|
-
if (return_to = url_from(params[:return_to])) && return_to
|
|
215
|
+
if (return_to = url_from(params[:return_to])) && !same_resource_url?(return_to)
|
|
216
216
|
return return_to
|
|
217
217
|
end
|
|
218
218
|
|
|
219
219
|
resource_url_for(resource_class)
|
|
220
220
|
end
|
|
221
221
|
|
|
222
|
+
# A return_to pointing at the just-deleted record's own show/edit page
|
|
223
|
+
# would 404 on the follow-up request, so treat those as unusable and let
|
|
224
|
+
# the caller fall back to the index. We compare paths because return_to
|
|
225
|
+
# is the bare record URL while request.url still carries ?return_to=.
|
|
226
|
+
def same_resource_url?(return_to)
|
|
227
|
+
return false unless resource_record?
|
|
228
|
+
|
|
229
|
+
target_path = URI.parse(return_to).path
|
|
230
|
+
record_path = URI.parse(resource_url_for(resource_record!)).path
|
|
231
|
+
target_path == record_path || target_path == "#{record_path}/edit"
|
|
232
|
+
end
|
|
233
|
+
|
|
222
234
|
def preferred_action_after_submit
|
|
223
235
|
@preferred_action_after_submit = begin
|
|
224
236
|
if %w[new edit show index].include? params[:commit]
|
data/lib/plutonium/version.rb
CHANGED
|
@@ -2,14 +2,6 @@
|
|
|
2
2
|
|
|
3
3
|
module Plutonium
|
|
4
4
|
module Wizard
|
|
5
|
-
# Raised when a wizard requires an anchor record but none is available.
|
|
6
|
-
class NotAnchoredError < StandardError; end
|
|
7
|
-
|
|
8
|
-
# Raised when the `wizard_class` route default does not resolve to a
|
|
9
|
-
# Plutonium::Wizard::Base subclass (a misconfigured mount, or a tampered
|
|
10
|
-
# path parameter).
|
|
11
|
-
class UnknownWizardError < StandardError; end
|
|
12
|
-
|
|
13
5
|
# Raised when a wizard step fails. Carries the attribute the error should be
|
|
14
6
|
# attached to (defaults to +:base+) so it can be surfaced on a form.
|
|
15
7
|
class StepError < StandardError
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Plutonium
|
|
4
|
+
module Wizard
|
|
5
|
+
# Raised when the `wizard_class` route default does not resolve to a
|
|
6
|
+
# Plutonium::Wizard::Base subclass (a misconfigured mount, or a tampered
|
|
7
|
+
# path parameter).
|
|
8
|
+
class UnknownWizardError < StandardError; end
|
|
9
|
+
end
|
|
10
|
+
end
|
data/lib/plutonium/wizard.rb
CHANGED
data/lib/tasks/release.rake
CHANGED
|
@@ -23,6 +23,7 @@ RELEASE_CLIFF_CONFIG = ".cliff.toml"
|
|
|
23
23
|
RELEASE_VERSION_FILE = "lib/plutonium/version.rb"
|
|
24
24
|
RELEASE_PACKAGE_JSON = "package.json"
|
|
25
25
|
RELEASE_NPM_PACKAGE = "@radioactive-labs/plutonium"
|
|
26
|
+
RELEASE_SECURITY_FILE = "SECURITY.md"
|
|
26
27
|
|
|
27
28
|
namespace :release do
|
|
28
29
|
# --- helpers --------------------------------------------------------------
|
|
@@ -89,6 +90,21 @@ namespace :release do
|
|
|
89
90
|
File.write(RELEASE_PACKAGE_JSON, pkg.gsub(/"version":\s*"[\d.]+"/, %("version": "#{version}")))
|
|
90
91
|
puts "â #{RELEASE_PACKAGE_JSON}"
|
|
91
92
|
|
|
93
|
+
# Bump the supported-version series in SECURITY.md (e.g. `0.62.x`), so the
|
|
94
|
+
# policy always names the current release series. Skipped if the file or the
|
|
95
|
+
# expected `X.Y.x` marker is missing â a release must never fail over this.
|
|
96
|
+
if File.exist?(RELEASE_SECURITY_FILE)
|
|
97
|
+
series = "#{version.split(".").first(2).join(".")}.x"
|
|
98
|
+
security = File.read(RELEASE_SECURITY_FILE)
|
|
99
|
+
updated = security.gsub(/`\d+\.\d+\.x`/, "`#{series}`")
|
|
100
|
+
if updated == security
|
|
101
|
+
puts "âĸ #{RELEASE_SECURITY_FILE} â no `X.Y.x` marker found, skipping"
|
|
102
|
+
else
|
|
103
|
+
File.write(RELEASE_SECURITY_FILE, updated)
|
|
104
|
+
puts "â #{RELEASE_SECURITY_FILE}"
|
|
105
|
+
end
|
|
106
|
+
end
|
|
107
|
+
|
|
92
108
|
# Changelog â same config CI uses for release notes, so they agree.
|
|
93
109
|
abort "git-cliff not found. Install with: brew install git-cliff" unless git_cliff?
|
|
94
110
|
system("git-cliff", "--config", RELEASE_CLIFF_CONFIG, "--tag", "v#{version}", "-o", "CHANGELOG.md") ||
|
data/package.json
CHANGED
data/plutonium.gemspec
CHANGED
|
@@ -15,6 +15,9 @@ Gem::Specification.new do |spec|
|
|
|
15
15
|
spec.required_ruby_version = ">= 3.2.2"
|
|
16
16
|
|
|
17
17
|
spec.metadata["allowed_push_host"] = "https://rubygems.org"
|
|
18
|
+
# Require multi-factor auth for privileged RubyGems actions (push, yank,
|
|
19
|
+
# owner changes). `gem push` will prompt for an OTP at release time.
|
|
20
|
+
spec.metadata["rubygems_mfa_required"] = "true"
|
|
18
21
|
|
|
19
22
|
spec.post_install_message = <<~MSG
|
|
20
23
|
âšī¸ Plutonium â breaking change introduced in 0.49.0
|
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: plutonium
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.62.
|
|
4
|
+
version: 0.62.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Stefan Froelich
|
|
8
8
|
bindir: exe
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2026-07-
|
|
10
|
+
date: 2026-07-07 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: zeitwerk
|
|
@@ -467,6 +467,7 @@ files:
|
|
|
467
467
|
- LICENSE.txt
|
|
468
468
|
- README.md
|
|
469
469
|
- Rakefile
|
|
470
|
+
- SECURITY.md
|
|
470
471
|
- app/assets/plutonium.css
|
|
471
472
|
- app/assets/plutonium.ico
|
|
472
473
|
- app/assets/plutonium.js
|
|
@@ -1289,12 +1290,12 @@ files:
|
|
|
1289
1290
|
- lib/plutonium/wizard/data.rb
|
|
1290
1291
|
- lib/plutonium/wizard/driving.rb
|
|
1291
1292
|
- lib/plutonium/wizard/dsl.rb
|
|
1292
|
-
- lib/plutonium/wizard/errors.rb
|
|
1293
1293
|
- lib/plutonium/wizard/field_capture.rb
|
|
1294
1294
|
- lib/plutonium/wizard/field_importer.rb
|
|
1295
1295
|
- lib/plutonium/wizard/gate.rb
|
|
1296
1296
|
- lib/plutonium/wizard/instance_key.rb
|
|
1297
1297
|
- lib/plutonium/wizard/lazy_persisted.rb
|
|
1298
|
+
- lib/plutonium/wizard/not_anchored_error.rb
|
|
1298
1299
|
- lib/plutonium/wizard/resume.rb
|
|
1299
1300
|
- lib/plutonium/wizard/review_step.rb
|
|
1300
1301
|
- lib/plutonium/wizard/route_resolution.rb
|
|
@@ -1303,10 +1304,12 @@ files:
|
|
|
1303
1304
|
- lib/plutonium/wizard/state.rb
|
|
1304
1305
|
- lib/plutonium/wizard/step.rb
|
|
1305
1306
|
- lib/plutonium/wizard/step_adapter.rb
|
|
1307
|
+
- lib/plutonium/wizard/step_error.rb
|
|
1306
1308
|
- lib/plutonium/wizard/store/active_record.rb
|
|
1307
1309
|
- lib/plutonium/wizard/store/base.rb
|
|
1308
1310
|
- lib/plutonium/wizard/store/memory.rb
|
|
1309
1311
|
- lib/plutonium/wizard/sweep_job.rb
|
|
1312
|
+
- lib/plutonium/wizard/unknown_wizard_error.rb
|
|
1310
1313
|
- lib/rodauth/features/case_insensitive_login.rb
|
|
1311
1314
|
- lib/rodauth/plugins.rb
|
|
1312
1315
|
- lib/tasks/.keep
|
|
@@ -1387,6 +1390,7 @@ licenses:
|
|
|
1387
1390
|
- MIT
|
|
1388
1391
|
metadata:
|
|
1389
1392
|
allowed_push_host: https://rubygems.org
|
|
1393
|
+
rubygems_mfa_required: 'true'
|
|
1390
1394
|
homepage_uri: https://radioactive-labs.github.io/plutonium-core/
|
|
1391
1395
|
source_code_uri: https://github.com/radioactive-labs/plutonium-core
|
|
1392
1396
|
post_install_message: |
|