From 3b5f8c2e6aeaeccdce12e91eb152fac15818f4b1 Mon Sep 17 00:00:00 2001 From: David Heinemeier Hansson Date: Sat, 5 Apr 2025 15:56:12 +0200 Subject: [PATCH] Note the security oddity of finding straight off root --- app/controllers/concerns/bubble_scoped.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/controllers/concerns/bubble_scoped.rb b/app/controllers/concerns/bubble_scoped.rb index 5805b58ec..2f422727c 100644 --- a/app/controllers/concerns/bubble_scoped.rb +++ b/app/controllers/concerns/bubble_scoped.rb @@ -7,6 +7,7 @@ module BubbleScoped private def set_bubble + # Finding the bubble on the root depends on checking permission by finding its bucket via Current.user @bubble = Bubble.find(params[:bubble_id]) end