Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix security issues #749

Merged
merged 3 commits into from Feb 5, 2018
Merged

Fix security issues #749

merged 3 commits into from Feb 5, 2018

Conversation

DmitryAvramec
Copy link
Contributor

No description provided.

CloCkWeRX
CloCkWeRX reviewed Feb 1, 2018
View reviewed changes
app/controllers/application_controller.rb Outdated
if find
find.safe_constantize
else
raise "Unknown resourse"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spelling: resource

CloCkWeRX
CloCkWeRX reviewed Feb 1, 2018
View reviewed changes
app/controllers/admin/fields_controller.rb Outdated
@@ -114,7 +114,22 @@ def subform
protected

def field_params
params[:field].permit!
params.require(:field).permit(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I doubt that anyone would have extended the field class while using it as an engine; but we should make sure we write a migration guide for anywhere we went for explicit param whitelisting, suggesting people will want to .permit() their customised attributes

@CloCkWeRX
Copy link
Member

and rubocop --auto-gen-config too

@johnnyshields
Copy link
Contributor

@DmitryAvramec there's still a rubocop error here.

@johnnyshields johnnyshields merged commit d38cbe8 into fatfreecrm:master Feb 5, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CloCkWeRX CloCkWeRX CloCkWeRX left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@DmitryAvramec @CloCkWeRX @johnnyshields