BUGFIX: hide sensitive site settings

Author: ZogStriP

app/assets/javascripts/admin/models/site_setting.js

@@ -71,9 +71,10 @@ Discourse.SiteSetting = Discourse.Model.extend({
   **/
   save: function() {
     // Update the setting
-    var setting = this;
-    return Discourse.ajax("/admin/site_settings/" + (this.get('setting')), {
-      data: { value: this.get('value') },
+    var setting = this, data = {};
+    data[this.get('setting')] = this.get('value');
+    return Discourse.ajax("/admin/site_settings/" + this.get('setting'), {
+      data: data,
       type: 'PUT'
     }).then(function() {
       setting.set('originalValue', setting.get('value'));

app/controllers/admin/site_settings_controller.rb

@@ -7,9 +7,11 @@ def index
   end
 
   def update
-    raise ActionController::ParameterMissing.new(:value) unless params.has_key?(:value)
-    StaffActionLogger.new(current_user).log_site_setting_change(params[:id], SiteSetting.send("#{params[:id]}"), params[:value]) if SiteSetting.respond_to?(params[:id])
-    SiteSetting.send("#{params[:id]}=", params[:value])
+    params.require(:id)
+    id = params[:id]
+    value = params[id]
+    StaffActionLogger.new(current_user).log_site_setting_change(id, SiteSetting.send(id), value) if SiteSetting.respond_to?(id)
+    SiteSetting.send("#{id}=", value)
     render nothing: true
   end
 

config/application.rb

@@ -88,7 +88,15 @@ class Application < Rails::Application
     config.encoding = 'utf-8'
 
     # Configure sensitive parameters which will be filtered from the log file.
-    config.filter_parameters += [:password]
+    config.filter_parameters += [
+        :password,
+        :pop3s_polling_password,
+        :s3_secret_access_key,
+        :twitter_consumer_secret,
+        :facebook_app_secret,
+        :github_client_secret,
+        :discourse_org_access_key,
+    ]
 
     # Enable the asset pipeline
     config.assets.enabled = true

spec/controllers/admin/site_settings_controller_spec.rb

@@ -25,30 +25,24 @@
 
     context 'update' do
 
-      it 'requires a value parameter' do
-        lambda { xhr :put, :update, id: 'test_setting' }.should raise_error(ActionController::ParameterMissing)
-      end
-
       it 'sets the value when the param is present' do
         SiteSetting.expects(:'test_setting=').with('hello').once
-        xhr :put, :update, id: 'test_setting', value: 'hello'
+        xhr :put, :update, id: 'test_setting', test_setting: 'hello'
       end
 
       it 'allows value to be a blank string' do
         SiteSetting.expects(:'test_setting=').with('').once
-        xhr :put, :update, id: 'test_setting', value: ''
+        xhr :put, :update, id: 'test_setting', test_setting: ''
       end
 
       it 'logs the change' do
         SiteSetting.stubs(:test_setting).returns('previous')
         SiteSetting.expects(:'test_setting=').with('hello').once
         StaffActionLogger.any_instance.expects(:log_site_setting_change).with('test_setting', 'previous', 'hello')
-        xhr :put, :update, id: 'test_setting', value: 'hello'
+        xhr :put, :update, id: 'test_setting', test_setting: 'hello'
       end
     end
 
   end
 
-
-
 end