From 0a450d58f4503a06e318bccea4af29949915c775 Mon Sep 17 00:00:00 2001
From: merefield <merefield@gmail.com>
Date: Wed, 23 Aug 2023 14:33:07 +0100
Subject: [PATCH] SECURITY: remove sensitive user content from submissions
 export

---
 app/controllers/custom_wizard/admin/submissions.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/controllers/custom_wizard/admin/submissions.rb b/app/controllers/custom_wizard/admin/submissions.rb
index c3bf809f..72f0961a 100644
--- a/app/controllers/custom_wizard/admin/submissions.rb
+++ b/app/controllers/custom_wizard/admin/submissions.rb
@@ -22,7 +22,12 @@ class CustomWizard::AdminSubmissionsController < CustomWizard::AdminController
   end
 
   def download
-    send_data submission_list.submissions.to_json,
+    content = ActiveModel::ArraySerializer.new(
+      submission_list.submissions,
+      each_serializer: CustomWizard::SubmissionSerializer
+    )
+
+    send_data content.to_json,
       filename: "#{Discourse.current_hostname}-wizard-submissions-#{@wizard.name}.json",
       content_type: "application/json",
       disposition: "attachment"