discourse/lib/plugin
Alan Guo Xiang Tan 0b84353162
SECURITY: Prevent arbitrary topic custom fields from being set
Why this change?

The `PostsController#create` action allows arbitrary topic custom fields
to be set by any user that can create a topic. Without any restrictions,
this opens us up to potential security issues where plugins may be using
topic custom fields in security sensitive areas.

What does this change do?

1. This change introduces the `register_editable_topic_custom_field` plugin
API which allows plugins to register topic custom fields that are
editable either by staff users only or all users. The registered
editable topic custom fields are stored in `DiscoursePluginRegistry` and
is called by a new method `Topic#editable_custom_fields` which is then
used in the `PostsController#create` controller action. When an unpermitted custom fields is present in the `meta_data` params,
a 400 response code is returned.

2. Removes all reference to `meta_data` on a topic as it is confusing
   since we actually mean topic custom fields instead.
2023-10-16 10:51:28 -04:00
..
filter_manager.rb DEV: Apply syntax_tree formatting to lib/* 2023-01-09 12:10:19 +00:00
filter.rb DEV: Apply syntax_tree formatting to lib/* 2023-01-09 12:10:19 +00:00
instance.rb SECURITY: Prevent arbitrary topic custom fields from being set 2023-10-16 10:51:28 -04:00
metadata.rb Add discourse-ai plugin (#22619) 2023-07-14 17:29:42 +02:00