Filter variables when updating user profile

2017-08-11 22:18:53 -07:00 · 2017-08-11 22:18:53 -07:00 · b79b18efd7
parent 88dd6abbf3
commit b79b18efd7
2 changed files with 13 additions and 4 deletions
--- a/app/Controller/UserCredentialController.php
+++ b/app/Controller/UserCredentialController.php
@ -44,7 +44,11 @@ class UserCredentialController extends BaseController
        list($valid, $errors) = $this->userValidator->validatePasswordModification($values);

        if (! $this->userSession->isAdmin()) {
-            $values['id'] = $this->userSession->getId();
+            $values = array(
+                'id' => $this->userSession->getId(),
+                'password' => isset($values['password']) ? $values['password'] : '',
+                'confirmation' => isset($values['confirmation']) ? $values['confirmation'] : '',
+            );
        }

        if ($valid) {
--- a/app/Controller/UserModificationController.php
+++ b/app/Controller/UserModificationController.php
@ -47,9 +47,14 @@ class UserModificationController extends BaseController
        $values = $this->request->getValues();

        if (! $this->userSession->isAdmin()) {
-            if (isset($values['role'])) {
-                unset($values['role']);
-            }
+            $values = array(
+                'id' => $this->userSession->getId(),
+                'username' => isset($values['username']) ? $values['username'] : '',
+                'name' => isset($values['name']) ? $values['name'] : '',
+                'email' => isset($values['email']) ? $values['email'] : '',
+                'timezone' => isset($values['timezone']) ? $values['timezone'] : '',
+                'language' => isset($values['language']) ? $values['language'] : '',
+            );
        }

        list($valid, $errors) = $this->userValidator->validateModification($values);