fix vulnerabilities

app/controllers/admin/invitations_controller.rb

@@ -44,6 +44,12 @@ class Admin::InvitationsController < Admin::BaseController
   private
 
   def invitation_params
-    params.require(:user).permit(:email, :name, :role, :primary_language)
+    permitted = params.require(:user).permit(:email, :name, :primary_language)
+
+    if params[:user][:role].present? && User.roles.key?(params[:user][:role])
+      permitted[:role] = params[:user][:role]
+    end
+
+    permitted
   end
 end

app/controllers/admin/users_controller.rb

@@ -3,14 +3,20 @@ class Admin::UsersController < Admin::BaseController
 
   def index
     @users = User.order(created_at: :desc)
-    @users = @users.where(role: params[:role]) if params[:role].present?
-    @users = @users.where("email LIKE ?", "%#{params[:q]}%") if params[:q].present?
+                 .by_role(params[:role])
+                 .search_email(params[:q])
   end
 
   def edit
   end
 
   def update
+    # Prevent users from modifying their own role
+    if @user == current_user && user_params[:role].present?
+      redirect_to admin_users_path, alert: "You cannot modify your own role."
+      return
+    end
+
     if @user.update(user_params)
       redirect_to admin_users_path, notice: "User updated successfully."
     else
@@ -40,6 +46,13 @@ class Admin::UsersController < Admin::BaseController
   end
 
   def user_params
-    params.require(:user).permit(:name, :email, :role, :primary_language)
+    permitted = params.require(:user).permit(:name, :email, :primary_language)
+
+    # Only allow role if it's a valid role enum value
+    if params[:user][:role].present? && User.roles.key?(params[:user][:role])
+      permitted[:role] = params[:user][:role]
+    end
+
+    permitted
   end
 end

app/controllers/entries_controller.rb

@@ -2,7 +2,7 @@ class EntriesController < ApplicationController
   before_action :set_entry, only: [ :show, :edit, :update ]
 
   def index
-    @language_code = params[:language].presence
+    @language_code = validate_language_code(params[:language].presence)
     @category = params[:category].presence
     @query = params[:q].to_s.strip
     @starts_with = params[:starts_with].presence
@@ -79,4 +79,10 @@ class EntriesController < ApplicationController
   def entry_params
     params.require(:entry).permit(:category)
   end
+
+  def validate_language_code(code)
+    return nil if code.blank?
+
+    SupportedLanguage.valid_codes.include?(code) ? code : nil
+  end
 end

app/models/entry.rb

@@ -35,7 +35,7 @@ class Entry < ApplicationRecord
     return none unless valid_lang?(language_code)
 
     where.not(language_code => [ nil, "" ])
-      .order(Arel.sql("#{language_code} ASC"))
+      .order(arel_table[language_code].asc)
   end
 
   private

app/models/user.rb

@@ -21,6 +21,9 @@ class User < ApplicationRecord
   validates :email, presence: true, uniqueness: true
   validates :password, length: { minimum: 12 }, if: -> { password.present? }
 
+  scope :by_role, ->(role) { where(role: role) if role.present? }
+  scope :search_email, ->(q) { where("email LIKE ?", "%#{sanitize_sql_like(q)}%") if q.present? }
+
   # Invitation token expires after 14 days
   INVITATION_TOKEN_EXPIRY = 14.days