Skip to content

Require explict allowlisting of attributes and associations #1400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 6, 2023
Merged

Require explict allowlisting of attributes and associations #1400

merged 1 commit into from
Feb 6, 2023
+182 −17

Conversation

deivid-rodriguez
Copy link
Contributor

Fixes #1273.

@deivid-rodriguez deivid-rodriguez force-pushed the improve-defaults branch 5 times, most recently from 742c863 to 8674980 Compare February 2, 2023 12:59
@deivid-rodriguez deivid-rodriguez marked this pull request as ready for review February 2, 2023 14:15
@deivid-rodriguez deivid-rodriguez mentioned this pull request Feb 2, 2023
Closed
@deivid-rodriguez
Copy link
Contributor Author

@scarroll32 Ok with releasing this as Ransack 4.0?

Narnach
Narnach reviewed Feb 3, 2023
View reviewed changes
lukas-eu
lukas-eu reviewed Feb 3, 2023
View reviewed changes
Copy link
Contributor

@lukas-eu lukas-eu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A typo and another idea for naming the list of all attributes/associations

@tagliala tagliala mentioned this pull request Feb 3, 2023
Closed
@deivid-rodriguez @lukas-eu @Narnach
Require explict allowlisting of attributes and associations
05db5c6 
Co-authored-by: lukas-eu <62448426+lukas-eu@users.noreply.github.com>
Co-authored-by: Wes Oldenbeuving <wes@narnach.com>
@deivid-rodriguez deivid-rodriguez merged commit 2922e33 into main Feb 6, 2023
@deivid-rodriguez deivid-rodriguez deleted the improve-defaults branch February 6, 2023 23:03
@deivid-rodriguez
Copy link
Contributor Author

I will prepare a release tomorrow.

@deivid-rodriguez
Copy link
Contributor Author

@scarroll32 I created a release draft. It's been a while without releases, so let me know how it looks if you have some time! Otherwise I'll just release this tommorrow™️.

@stillhart stillhart mentioned this pull request Feb 10, 2023
Open
@ykamin-booth ykamin-booth mentioned this pull request Feb 10, 2023
Closed
@boehle boehle mentioned this pull request Feb 17, 2023
Merged
@scarroll32
Copy link
Member

References

@ahukkanen ahukkanen mentioned this pull request Apr 20, 2023
Open
This was referenced Jun 20, 2023
Closed
Merged
@difernandez difernandez mentioned this pull request Aug 3, 2023
Merged
6 tasks
@veelenga veelenga mentioned this pull request Aug 7, 2023
Merged
4 tasks
@eliotsykes eliotsykes mentioned this pull request Aug 30, 2023
Open
@murny murny mentioned this pull request Sep 20, 2023
Merged
@AndreyCerqueiraLima
Copy link

I really understood the security idea about this change.

But when something doesn't have a door the path is "free".
When you put a door on the path and force every player to implement a key to use this door, everything is okay when this door is just for 2 people.

However, when all of the world need to use this door, you generate a big problem! Imagine, need to generate a key for everyone.

So, this behavior break so many applications that discourages people use ransack. Because the core changed and break the whole app, forced to implement this security feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Narnach Narnach

@lukas-eu lukas-eu

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

About default searchable attributes and associations
5 participants
@deivid-rodriguez @scarroll32 @AndreyCerqueiraLima @Narnach @lukas-eu