Ghost

mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-26 20:34:02 +03:00

History

Naz 22738b1b50 🔒 Disabled editable relations by default refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-9gh8-wp53-ccc6 refs https://github.com/TryGhost/Toolbox/issues/465 - Bookshelf relations allows us to edit relational records by default, which was used liberally in the codebase. - Not having a clear track record of editable relations left the model layer prone to triggering unwanted nested saves and created a vulnerability where members were able to edit newsletter settings. - With explicit editable relations it's easier to keep track of relations having editable access to related records. Makes the relational data modification pattern safer to use too. - Anyone running 5.x should update to 5.24.1 Credits: Dave McDaniel and other members of [Cisco Talos](https://talosintelligence.com/vulnerability_reports)		2022-11-28 18:39:39 +07:00
..
e2e-api	🔒 Disabled editable relations by default	2022-11-28 18:39:39 +07:00
e2e-browser	Added sample Portal test to PlayWright suite	2022-11-24 17:47:04 +00:00
e2e-frontend	🔒 Disabled editable relations by default	2022-11-28 18:39:39 +07:00
e2e-server	Added email service package (#15849 )	2022-11-21 10:29:53 +01:00
e2e-webhooks	Reduced default post relations (#15798 )	2022-11-15 10:17:26 +01:00
integration	Added email service package (#15849 )	2022-11-21 10:29:53 +01:00
regression	🔒 Disabled editable relations by default	2022-11-28 18:39:39 +07:00
unit	Improved Sentry server side error reporting	2022-11-23 12:37:24 +00:00
utils	🔒 Disabled editable relations by default	2022-11-28 18:39:39 +07:00
.eslintignore	Converted Ghost repo into a monorepo	2022-07-20 16:41:05 +02:00
.eslintrc.js	Converted Ghost repo into a monorepo	2022-07-20 16:41:05 +02:00