From d79615dd2738bafec6c7e6dfd13c7d78c060b17a Mon Sep 17 00:00:00 2001 From: fef Date: Fri, 2 Dec 2022 09:37:56 +0000 Subject: [PATCH] sanitize setting for number of visible reactions This is kind of a hack, but the lack of validation for settings unfortunately makes it necessary. --- app/lib/user_settings_decorator.rb | 9 ++++++--- app/views/settings/preferences/appearance/show.html.haml | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/app/lib/user_settings_decorator.rb b/app/lib/user_settings_decorator.rb index 17fbacf0dd..f4360b9475 100644 --- a/app/lib/user_settings_decorator.rb +++ b/app/lib/user_settings_decorator.rb @@ -160,7 +160,7 @@ class UserSettingsDecorator end def visible_reactions_preference - integer_cast_setting 'setting_visible_reactions' + integer_cast_setting('setting_visible_reactions', 0) end def always_send_emails_preference @@ -171,8 +171,11 @@ class UserSettingsDecorator ActiveModel::Type::Boolean.new.cast(settings[key]) end - def integer_cast_setting(key) - ActiveModel::Type::Integer.new.cast(settings[key]) + def integer_cast_setting(key, min = nil, max = nil) + i = ActiveModel::Type::Integer.new.cast(settings[key]) + return min if !min.nil? && i < min + return max if !max.nil? && i > max + i end def coerced_settings(key) diff --git a/app/views/settings/preferences/appearance/show.html.haml b/app/views/settings/preferences/appearance/show.html.haml index 6c5f7414ec..af8cd4bd85 100644 --- a/app/views/settings/preferences/appearance/show.html.haml +++ b/app/views/settings/preferences/appearance/show.html.haml @@ -37,7 +37,7 @@ = f.input :setting_crop_images, as: :boolean, wrapper: :with_label .fields-group.fields-row__column.fields-row__column-6 - = f.input :setting_visible_reactions, wrapper: :with_label, input_html: { type: 'number', data: { default: '6' } }, hint: false + = f.input :setting_visible_reactions, wrapper: :with_label, input_html: { type: 'number', min: '0', data: { default: '6' } }, hint: false %h4= t 'appearance.discovery'