Skip to content

v1.0.1
Compare
Choose a tag to compare
@jhawthorn jhawthorn released this 19 Aug 18:39
· 10766 commits to main since this release
v1.0.1
a4126f0

This is a patch release fixing a major security vulnerability

Changes

  • ransackable associations are now whitelisted
  • ransackable attributes are now whitelisted
  • payment response_codes are no longer shown in the API
  • spree_api_keys are no longer shown in the admin
  • Fixes to some combinations of PermissionSet

Upgrading

We've kept the changes minimal for this patch release. However the security change to ransack may cause issues in custom ransack searches. Any custom associations or attributes will have to be whitelisted if they are searched on. For example:

# in config/initializers/spree.rb
Spree::Product.whitelisted_ransackable_associations |= ['category_page']
Spree::Product.whitelisted_ransackable_attributes |= ['extra_description']
Assets 2
Loading