Ghost/ghost/core/test/e2e-frontend
Naz 22738b1b50 🔒 Disabled editable relations by default
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-9gh8-wp53-ccc6
refs https://github.com/TryGhost/Toolbox/issues/465

- Bookshelf relations allows us to edit relational records by default, which was used liberally in the codebase.
- Not having a clear track record of editable relations left the model layer prone to triggering unwanted nested saves and created a vulnerability where members were able to edit newsletter settings.
- With explicit editable relations it's easier to keep track of relations having editable access to related records. Makes the relational data modification pattern safer to use too.
- Anyone running 5.x should update to 5.24.1

Credits: Dave McDaniel and other members of [Cisco Talos](https://talosintelligence.com/vulnerability_reports)
2022-11-28 18:39:39 +07:00
..
helpers Fixed Tier events being created when Posts are edited 2022-09-05 17:19:27 +01:00
advanced_url_config.test.js Converted Ghost repo into a monorepo 2022-07-20 16:41:05 +02:00
custom_routes.test.js 🐛 Fixed sitemaps with no content (#15571) 2022-10-12 14:11:19 +01:00
default_routes.test.js 🐛 Removed redirects from search engine indexing (#15617) 2022-10-14 15:51:43 +07:00
email_routes.test.js Converted Ghost repo into a monorepo 2022-07-20 16:41:05 +02:00
member_stats.test.js Converted Ghost repo into a monorepo 2022-07-20 16:41:05 +02:00
members.test.js 🔒 Disabled editable relations by default 2022-11-28 18:39:39 +07:00
preview_routes.test.js Added a test suite for OPTIONS requests 2022-11-02 13:43:30 +08:00