From f6ac3db2d7368937557d8ca551908e06d6b93d04 Mon Sep 17 00:00:00 2001
From: Matijs van Zuijlen <matijs@matijs.net>
Date: Sun, 13 Oct 2024 13:03:12 +0200
Subject: [PATCH] Limit allowed SEO settings params

This limits the set of parameters in the Admin::SeoController to the set
of valid blog settings, similar to AdminSettingsController. In addition,
it allows the extra :custom_permalink key to facilitate the options plus
text field construction in the SEO settings form. This eliminates the
use of the unsafe #permit! method.
---
 app/controllers/admin/seo_controller.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/controllers/admin/seo_controller.rb b/app/controllers/admin/seo_controller.rb
index 37d32662..4695389b 100644
--- a/app/controllers/admin/seo_controller.rb
+++ b/app/controllers/admin/seo_controller.rb
@@ -30,7 +30,11 @@ def update
   private
 
   def settings_params
-    @settings_params ||= params.require(:setting).permit!
+    @settings_params ||= params.require(:setting).permit(settings_keys)
+  end
+
+  def settings_keys
+    @setting.settings_keys + [:custom_permalink]
   end
 
   VALID_SECTIONS = %w(general titles permalinks).freeze