Naz 22738b1b50 🔒 Disabled editable relations by default ... refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-9gh8-wp53-ccc6 refs https://github.com/TryGhost/Toolbox/issues/465 - Bookshelf relations allows us to edit relational records by default, which was used liberally in the codebase. - Not having a clear track record of editable relations left the model layer prone to triggering unwanted nested saves and created a vulnerability where members were able to edit newsletter settings. - With explicit editable relations it's easier to keep track of relations having editable access to related records. Makes the relational data modification pattern safer to use too. - Anyone running 5.x should update to 5.24.1 Credits: Dave McDaniel and other members of [Cisco Talos](https://talosintelligence.com/vulnerability_reports)		2022-11-28 18:39:39 +07:00
..
admin	🔒 Disabled editable relations by default	2022-11-28 18:39:39 +07:00
content	Update the cover image in default fixtures (#15817)	2022-11-15 21:19:50 +00:00
members	Added member API for removing email from suppression list (#15867)	2022-11-23 14:41:00 +04:00
members-comments	Sped up comments and feedback tests by reusing Ghost app instance	2022-11-18 14:58:35 +01:00
shared	Update the cover image in default fixtures (#15817)	2022-11-15 21:19:50 +00:00