From 0a450d58f4503a06e318bccea4af29949915c775 Mon Sep 17 00:00:00 2001 From: merefield Date: Wed, 23 Aug 2023 14:33:07 +0100 Subject: [PATCH 1/2] SECURITY: remove sensitive user content from submissions export --- app/controllers/custom_wizard/admin/submissions.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/app/controllers/custom_wizard/admin/submissions.rb b/app/controllers/custom_wizard/admin/submissions.rb index c3bf809f..72f0961a 100644 --- a/app/controllers/custom_wizard/admin/submissions.rb +++ b/app/controllers/custom_wizard/admin/submissions.rb @@ -22,7 +22,12 @@ class CustomWizard::AdminSubmissionsController < CustomWizard::AdminController end def download - send_data submission_list.submissions.to_json, + content = ActiveModel::ArraySerializer.new( + submission_list.submissions, + each_serializer: CustomWizard::SubmissionSerializer + ) + + send_data content.to_json, filename: "#{Discourse.current_hostname}-wizard-submissions-#{@wizard.name}.json", content_type: "application/json", disposition: "attachment" From da4fe79aea454d6b715f9a6fa9c04e753a7c952a Mon Sep 17 00:00:00 2001 From: merefield Date: Wed, 23 Aug 2023 14:35:58 +0100 Subject: [PATCH 2/2] bump patch --- plugin.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin.rb b/plugin.rb index c5681fb6..756154bb 100644 --- a/plugin.rb +++ b/plugin.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # name: discourse-custom-wizard # about: Forms for Discourse. Better onboarding, structured posting, data enrichment, automated actions and much more. -# version: 2.4.17 +# version: 2.4.18 # authors: Angus McLeod, Faizaan Gagan, Robert Barrow, Keegan George, Kaitlin Maddever, Juan Marcos Gutierrez Ramos # url: https://github.com/paviliondev/discourse-custom-wizard # contact_emails: development@pavilion.tech