Consul v1.0.3 Release Notes

Release Date: 2019-09-24 // over 1 year ago
  • ๐Ÿ”’ Security fix

    ๐Ÿš€ This releases fix a security issue where in a controller with multiple power directives, the :only and :except options of the last directive was applied to all directives.

    Affected code looks like this:

    class UsersController < ApplicationController
      power :foo
      power :bar, only: :index
    
      ...
    end
    

    In this example both the powers :foo and :bar were only checked for the #index action. Other actions were left unprotected by powers checks.

    Controllers with a single power directive are unaffected. Contollers where neither power uses :only or :except options are unaffected.

    This vulnerability has been assigned the CVE identifier CVE-2019-16377.

    Compatible changes

    • ๐Ÿ‘€ The RSpec matcher check_power now also sees powers inherited by a parent controller.

Previous changes from v1.0.2

  • Compatible changes

    • The #arity of power methods with optional arguments is now preserved.