publify_core 10.0.2 → 10.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a80ae8a43965fcfb378504dd7b9d0cf6f13d5bc87df95fd9fb937caca4eb401f
-  data.tar.gz: d18535211810991287441d7e851786062d1ae0dea3b7835f47a102d20c0c179f
+  metadata.gz: b3e5084922bf07bd1308c17a903b8d97773f92b4068a02aedbddb77ee3e4d86c
+  data.tar.gz: d8689c538a7fad96f040adc776cc55b9f489a5bcfaef8dfa6ca7b4a31aa3a385
 SHA512:
-  metadata.gz: 4154fcce63f81d06ea49c427307cebe10dec30c90dfeb16d4955fd9fca6e40be98a6d95a00b2582d0dd41d81ed82535a5f6b4ee3fc403ebfd04f924aa5e3bb59
-  data.tar.gz: 8dfb7191f158518c34cac975d53f89ed74539c14340db36f67fc6f5951e3f8a90004881d1a2a74c0740368040c19f424d29f0d830ddae9dcbe2b260b69c81846
+  metadata.gz: aeeeb16cf53b8f6fd74cfd04ac9c960a25f05fd603e4d127cbee813d37a8ddd2675ed6f082aa2ea59155aa3ab407297c6a733d8ce0f124d4a9affd98163a52e7
+  data.tar.gz: 80b5de3c4bd37f72ccbce5d27d10fbff4519d3bca84a30eee988e389b48b83b6969320c90db38590aeae40a46be5708e838ea066855ea6aef4a254f50cb2632f

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## 10.0.3 / 2025-03-28
+
+* Limit accepted parameters for Sidebar update in Admin ([#159] by [mvz])
+* Use known set of allowed attributes when autosaving an Article ([#160] by [mvz])
+* Permit only valid settings keys when updating blog settings ([#161] by [mvz])
+* Limit assigned attributes when creating and updating Notes ([#162] by [mvz])
+* Limit allowed SEO settings params ([#163] by [mvz])
+
+[#159]: https://github.com/publify/publify_core/pull/159
+[#160]: https://github.com/publify/publify_core/pull/160
+[#161]: https://github.com/publify/publify_core/pull/161
+[#162]: https://github.com/publify/publify_core/pull/162
+[#163]: https://github.com/publify/publify_core/pull/163
+
 ## 10.0.2 / 2024-06-28
 
 ### Security updates

data/app/controllers/admin/articles_controller.rb

@@ -108,7 +108,7 @@ class Admin::ArticlesController < Admin::BaseController
 
     fetch_fresh_or_existing_draft_for_article
 
-    @article.attributes = params[:article].permit!
+    @article.assign_attributes(update_params)
 
     @article.author = current_user
     @article.save_attachments!(params[:attachments])

data/app/controllers/admin/notes_controller.rb

@@ -23,7 +23,7 @@ class Admin::NotesController < Admin::BaseController
     note = new_note
 
     note.state = "published"
-    note.attributes = params[:note].permit!
+    note.assign_attributes(note_params)
     note.text_filter ||= default_text_filter
     note.published_at ||= Time.zone.now
     if note.save
@@ -41,7 +41,7 @@ class Admin::NotesController < Admin::BaseController
   end
 
   def update
-    @note.attributes = params[:note].permit!
+    @note.assign_attributes(note_params)
     @note.save
     redirect_to admin_notes_url
   end
@@ -54,6 +54,15 @@ class Admin::NotesController < Admin::BaseController
 
   private
 
+  def note_params
+    params.require(:note).permit(:text_filter_name,
+                                 :body,
+                                 :push_to_twitter,
+                                 :in_reply_to_status_id,
+                                 :permalink,
+                                 :published_at)
+  end
+
   def load_existing_notes
     @notes = Note.page(params[:page]).per(this_blog.limit_article_display)
   end

data/app/controllers/admin/seo_controller.rb

@@ -30,7 +30,11 @@ class Admin::SeoController < Admin::BaseController
   private
 
   def settings_params
-    @settings_params ||= params.require(:setting).permit!
+    @settings_params ||= params.require(:setting).permit(settings_keys)
+  end
+
+  def settings_keys
+    @setting.settings_keys + [:custom_permalink]
   end
 
   VALID_SECTIONS = %w(general titles permalinks).freeze

data/app/controllers/admin/settings_controller.rb

@@ -36,7 +36,7 @@ class Admin::SettingsController < Admin::BaseController
   VALID_ACTIONS = %w(index write feedback display).freeze
 
   def settings_params
-    @settings_params ||= params.require(:setting).permit!
+    @settings_params ||= params.require(:setting).permit(@setting.settings_keys)
   end
 
   def action_param

data/app/controllers/admin/sidebar_controller.rb

@@ -8,9 +8,11 @@ class Admin::SidebarController < Admin::BaseController
 
   # Just update a single active Sidebar instance at once
   def update
-    @sidebar = Sidebar.where(id: params[:id]).first
+    @sidebar = Sidebar.find(params[:id])
     @old_s_index = @sidebar.staged_position || @sidebar.active_position
-    @sidebar.update params[:configure][@sidebar.id.to_s].permit!
+    @sidebar.update params.require(:configure)
+      .require(@sidebar.id.to_s)
+      .permit(@sidebar.fields.map(&:key))
     respond_to do |format|
       format.js
       format.html do

data/app/models/config_manager.rb

@@ -28,6 +28,10 @@ module ConfigManager
       fields[key.to_s].default
     end
 
+    def settings_keys
+      fields.keys
+    end
+
     private
 
     def add_setting_reader(item)
@@ -65,6 +69,10 @@ module ConfigManager
     self.class.fields[key.to_s].canonicalize(value)
   end
 
+  def settings_keys
+    self.class.settings_keys
+  end
+
   class Item
     VALID_TYPES = [:boolean, :integer, :string, :text].freeze
 

data/lib/publify_core/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PublifyCore
-  VERSION = "10.0.2"
+  VERSION = "10.0.3"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: publify_core
 version: !ruby/object:Gem::Version
-  version: 10.0.2
+  version: 10.0.3
 platform: ruby
 authors:
 - Matijs van Zuijlen
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-28 00:00:00.000000000 Z
+date: 2025-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aasm
@@ -1203,7 +1203,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
+rubygems_version: 3.3.27
 signing_key:
 specification_version: 4
 summary: Core engine for the Publify blogging system.