Merge pull request #161 from publify/limit-admin-setting-params

Permit only valid settings keys when updating blog settings
publify · Oct 13, 2024 · 0f1c768 · 0f1c768
2 parents a350c86 + c3c47cb
commit 0f1c768
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/app/controllers/admin/settings_controller.rb b/app/controllers/admin/settings_controller.rb
@@ -36,7 +36,7 @@ def update
   VALID_ACTIONS = %w(index write feedback display).freeze
 
   def settings_params
-    @settings_params ||= params.require(:setting).permit!
+    @settings_params ||= params.require(:setting).permit(@setting.settings_keys)
   end
 
   def action_param

diff --git a/app/models/config_manager.rb b/app/models/config_manager.rb
@@ -28,6 +28,10 @@ def default_for(key)
       fields[key.to_s].default
     end
 
+    def settings_keys
+      fields.keys
+    end
+
     private
 
     def add_setting_reader(item)
@@ -65,6 +69,10 @@ def canonicalize(key, value)
     self.class.fields[key.to_s].canonicalize(value)
   end
 
+  def settings_keys
+    self.class.settings_keys
+  end
+
   class Item
     VALID_TYPES = [:boolean, :integer, :string, :text].freeze