Soverein/sanasto-wiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix vulnerabilities
CI / scan_ruby (push) Successful in 23s
Details
CI / scan_js (push) Failing after 10s
Details
CI / lint (push) Failing after 19s
Details
CI / test (push) Failing after 16s
Details
CI / system-test (push) Failing after 15s
Details

Browse Source
This commit is contained in:
Runar Ingebrigtsen
2026-01-26 21:38:17 +01:00
parent 35f10c4bda
commit a69be52b72
6 changed files with 54 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/admin/invitations_controller.rb
+7 -1
View File
@@ -44,6 +44,12 @@ class Admin::InvitationsController < Admin::BaseController
private
def invitation_params
params.require(:user).permit(:email, :name, :role, :primary_language)
permitted = params.require(:user).permit(:email, :name, :primary_language)
if params[:user][:role].present? && User.roles.key?(params[:user][:role])
permitted[:role] = params[:user][:role]
end
permitted
end
end
app/controllers/admin/users_controller.rb
+16 -3
View File
@@ -3,14 +3,20 @@ class Admin::UsersController < Admin::BaseController
def index
@users = User.order(created_at: :desc)
@users = @users.where(role: params[:role]) if params[:role].present?
@users = @users.where("email LIKE ?", "%#{params[:q]}%") if params[:q].present?
.by_role(params[:role])
.search_email(params[:q])
end
def edit
end
def update
# Prevent users from modifying their own role
if @user == current_user && user_params[:role].present?
redirect_to admin_users_path, alert: "You cannot modify your own role."
return
end
if @user.update(user_params)
redirect_to admin_users_path, notice: "User updated successfully."
else
@@ -40,6 +46,13 @@ class Admin::UsersController < Admin::BaseController
end
def user_params
params.require(:user).permit(:name, :email, :role, :primary_language)
permitted = params.require(:user).permit(:name, :email, :primary_language)
# Only allow role if it's a valid role enum value
if params[:user][:role].present? && User.roles.key?(params[:user][:role])
permitted[:role] = params[:user][:role]
end
permitted
end
end
app/controllers/entries_controller.rb
+7 -1
View File
@@ -2,7 +2,7 @@ class EntriesController < ApplicationController
before_action :set_entry, only: [ :show, :edit, :update ]
def index
@language_code = params[:language].presence
@language_code = validate_language_code(params[:language].presence)
@category = params[:category].presence
@query = params[:q].to_s.strip
@starts_with = params[:starts_with].presence
@@ -79,4 +79,10 @@ class EntriesController < ApplicationController
def entry_params
params.require(:entry).permit(:category)
end
def validate_language_code(code)
return nil if code.blank?
SupportedLanguage.valid_codes.include?(code) ? code : nil
end
end