Limit accepted parameters for Sidebar update in Admin

Each sidebar generates a form containing just the fields defined in sidebar.fields. So it is not necessary, and also unsafe, to permit just any parameter. Instead, permit only the defined fields.
publify · Oct 13, 2024 · 87d06b0 · 87d06b0
1 parent baab9ce
commit 87d06b0
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/app/controllers/admin/sidebar_controller.rb b/app/controllers/admin/sidebar_controller.rb
@@ -8,9 +8,11 @@ def index
 
   # Just update a single active Sidebar instance at once
   def update
-    @sidebar = Sidebar.where(id: params[:id]).first
+    @sidebar = Sidebar.find(params[:id])
     @old_s_index = @sidebar.staged_position || @sidebar.active_position
-    @sidebar.update params[:configure][@sidebar.id.to_s].permit!
+    @sidebar.update params.require(:configure)
+      .require(@sidebar.id.to_s)
+      .permit(@sidebar.fields.map(&:key))
     respond_to do |format|
       format.js
       format.html do