From 0a84738288648086488e00e23e6e26af32c1ede7 Mon Sep 17 00:00:00 2001 From: Matijs van Zuijlen Date: Sun, 13 Oct 2024 10:25:50 +0200 Subject: [PATCH] Use known set of allowed attributes when autosaving an Article The attributes of an Article are known, so there is no need to permit all parameters. Since it is also unsafe, replace it with the already known set of good parameters defined in #update_params. --- app/controllers/admin/articles_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/admin/articles_controller.rb b/app/controllers/admin/articles_controller.rb index 3db8dde5..15b30592 100644 --- a/app/controllers/admin/articles_controller.rb +++ b/app/controllers/admin/articles_controller.rb @@ -108,7 +108,7 @@ def autosave fetch_fresh_or_existing_draft_for_article - @article.attributes = params[:article].permit! + @article.assign_attributes(update_params) @article.author = current_user @article.save_attachments!(params[:attachments])