DEV: Sanitize integer site settings in front- and back-end (#23816)

Currently, if you set an integer site setting in the admin interface and include thousands separators, you will silently configure the wrong value. This PR replaces TextField inputs for integer site settings with NumberField. It also cleans the numeric input of any non-digits in the backend in case any separators make it through.
2023-10-06 19:21:01 +02:00 · 2023-10-06 19:21:01 +02:00 · e113eff663
parent 484004fc5e
commit e113eff663
6 changed files with 20 additions and 1 deletions
--- a/app/assets/javascripts/admin/addon/components/site-settings/integer.hbs
+++ b/app/assets/javascripts/admin/addon/components/site-settings/integer.hbs
@ -0,0 +1,4 @@
+<NumberField @value={{this.value}} @classNames="input-setting-integer" />
+
+<SettingValidationMessage @message={{this.validationMessage}} />
+<div class="desc">{{html-safe this.setting.description}}</div>
--- a/app/assets/javascripts/admin/addon/components/site-settings/integer.js
+++ b/app/assets/javascripts/admin/addon/components/site-settings/integer.js
@ -0,0 +1,3 @@
+import Component from "@ember/component";
+
+export default class Integer extends Component {}
--- a/app/assets/javascripts/admin/addon/mixins/setting-component.js
+++ b/app/assets/javascripts/admin/addon/mixins/setting-component.js
@ -15,6 +15,7 @@ import SiteSettingDefaultCategoriesModal from "../components/modal/site-setting-

 const CUSTOM_TYPES = [
  "bool",
+  "integer",
  "enum",
  "list",
  "url_list",
--- a/app/assets/stylesheets/common/admin/settings.scss
+++ b/app/assets/stylesheets/common/admin/settings.scss
@ -58,6 +58,7 @@
      float: left;
    }
    .input-setting-string,
+    .input-setting-integer,
    .input-setting-textarea {
      width: 100%;
      @media (max-width: $mobile-breakpoint) {
--- a/app/controllers/admin/site_settings_controller.rb
+++ b/app/controllers/admin/site_settings_controller.rb
@ -31,7 +31,10 @@ class Admin::SiteSettingsController < Admin::AdminController

    raise_access_hidden_setting(id)

-    if SiteSetting.type_supervisor.get_type(id) == :uploaded_image_list
+    case SiteSetting.type_supervisor.get_type(id)
+    when :integer
+      value = value.gsub(/\D/, "")
+    when :uploaded_image_list
      value = Upload.get_from_urls(value.split("|")).to_a
    end

--- a/spec/requests/admin/site_settings_controller_spec.rb
+++ b/spec/requests/admin/site_settings_controller_spec.rb
@ -269,6 +269,13 @@ RSpec.describe Admin::SiteSettingsController do
        expect(SiteSetting.title).to eq("")
      end

+      it "sanitizes integer values" do
+        put "/admin/site_settings/suggested_topics.json", params: { suggested_topics: "1,000" }
+
+        expect(response.status).to eq(200)
+        expect(SiteSetting.suggested_topics).to eq(1000)
+      end
+
      context "with default user options" do
        let!(:user1) { Fabricate(:user) }
        let!(:user2) { Fabricate(:user) }