v1.0.1
This is a patch release fixing a major security vulnerability
Changes
- ransackable associations are now whitelisted
- ransackable attributes are now whitelisted
- payment
response_code
s are no longer shown in the API spree_api_key
s are no longer shown in the admin- Fixes to some combinations of PermissionSet
Upgrading
We've kept the changes minimal for this patch release. However the security change to ransack may cause issues in custom ransack searches. Any custom associations or attributes will have to be whitelisted if they are searched on. For example:
# in config/initializers/spree.rb
Spree::Product.whitelisted_ransackable_associations |= ['category_page']
Spree::Product.whitelisted_ransackable_attributes |= ['extra_description']