From 87d06b0b6abbd3ad1a3f559faece5a48da5ca4a6 Mon Sep 17 00:00:00 2001
From: Matijs van Zuijlen <matijs@matijs.net>
Date: Sun, 13 Oct 2024 10:09:09 +0200
Subject: [PATCH] Limit accepted parameters for Sidebar update in Admin

Each sidebar generates a form containing just the fields defined in
sidebar.fields. So it is not necessary, and also unsafe, to permit just
any parameter. Instead, permit only the defined fields.
---
 app/controllers/admin/sidebar_controller.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/controllers/admin/sidebar_controller.rb b/app/controllers/admin/sidebar_controller.rb
index 8191933f..7731f279 100644
--- a/app/controllers/admin/sidebar_controller.rb
+++ b/app/controllers/admin/sidebar_controller.rb
@@ -8,9 +8,11 @@ def index
 
   # Just update a single active Sidebar instance at once
   def update
-    @sidebar = Sidebar.where(id: params[:id]).first
+    @sidebar = Sidebar.find(params[:id])
     @old_s_index = @sidebar.staged_position || @sidebar.active_position
-    @sidebar.update params[:configure][@sidebar.id.to_s].permit!
+    @sidebar.update params.require(:configure)
+      .require(@sidebar.id.to_s)
+      .permit(@sidebar.fields.map(&:key))
     respond_to do |format|
       format.js
       format.html do