I can see that my previous XSS issue has been more or less ignored, so I don't know why I post this. Anyway, drafts are accessible by everyone which I do not think is what users of the script expect - here's a quick and dirty patch
diff --git a/app/controllers/blog_posts_controller.rb b/app/controllers/blog_posts_controller.rb
index 9b7a55c..7ccfdd6 100644
--- a/app/controllers/blog_posts_controller.rb
+++ b/app/controllers/blog_posts_controller.rb
@@ -32,6 +32,10 @@ class BlogPostsController < ApplicationController
def show
@blog_post = BlogPost.find(params[:id])
- unless @blog_post.published == 1
-
-
- end
@blog_comment = @blog_post.blog_comments.new
I can see that my previous XSS issue has been more or less ignored, so I don't know why I post this. Anyway, drafts are accessible by everyone which I do not think is what users of the script expect - here's a quick and dirty patch
diff --git a/app/controllers/blog_posts_controller.rb b/app/controllers/blog_posts_controller.rb
index 9b7a55c..7ccfdd6 100644
--- a/app/controllers/blog_posts_controller.rb
+++ b/app/controllers/blog_posts_controller.rb
@@ -32,6 +32,10 @@ class BlogPostsController < ApplicationController
def show
@blog_post = BlogPost.find(params[:id])
@blog_comment = @blog_post.blog_comments.new