Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2025-11-01 02:46:04 +01:00
Code Issues Packages Projects Releases Activity

Clean user post to ensure dynamically added form fields are not saved

Browse Source
This commit is contained in:
Andy Miller
2018-12-13 15:46:26 -07:00
parent b2ce963e3b
commit f0c0af4e8a
2 changed files with 27 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
classes/admin.php
View File

@@ -638,12 +638,12 @@ class Admin
$data[$type] = $obj;
} elseif (preg_match('|users/|', $type)) {
$obj = User::load(preg_replace('|users/|', '', $type));
$obj->merge($post);
$obj->merge($this->cleanUserPost($post));
$data[$type] = $obj;
} elseif (preg_match('|user/|', $type)) {
$obj = User::load(preg_replace('|user/|', '', $type));
$obj->merge($post);
$obj->merge($this->cleanUserPost($post));
$data[$type] = $obj;
} elseif (preg_match('|config/|', $type)) {
@@ -688,6 +688,25 @@ class Admin
return $data[$type];
}
/**
* Clean user form post and remove extra stuff that may be passed along
*
* @param $post
* @return array
*/
protected function cleanUserPost($post)
{
// Clean fields for all users
unset($post['hashed_password']);
// Clean field for users who shouldn't be able to modify these fields
if (!$this->authorize(['admin.user', 'admin.super'])) {
unset($post['access']);
}
return $post;
}
protected function hasErrorMessage()
{
$msgs = $this->grav['messages']->all();