Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2025-11-03 11:55:52 +01:00
Code Issues Packages Projects Releases Activity

Clean user post to ensure dynamically added form fields are not saved

Browse Source
This commit is contained in:
Andy Miller
2018-12-13 15:46:26 -07:00
parent b2ce963e3b
commit f0c0af4e8a
2 changed files with 27 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG.md
View File

@@ -1,3 +1,9 @@
# v1.8.15
## mm/dd/2018
1. [](#bugfix)
* Clean user post to ensure dynamically added form fields are not saved
# v1.8.14 # v1.8.14
## 11/12/2018 ## 11/12/2018

23
classes/admin.php
View File

@@ -638,12 +638,12 @@ class Admin
$data[$type] = $obj; $data[$type] = $obj;
} elseif (preg_match('|users/|', $type)) { } elseif (preg_match('|users/|', $type)) {
$obj = User::load(preg_replace('|users/|', '', $type)); $obj = User::load(preg_replace('|users/|', '', $type));
$obj->merge($post); $obj->merge($this->cleanUserPost($post));
$data[$type] = $obj; $data[$type] = $obj;
} elseif (preg_match('|user/|', $type)) { } elseif (preg_match('|user/|', $type)) {
$obj = User::load(preg_replace('|user/|', '', $type)); $obj = User::load(preg_replace('|user/|', '', $type));
$obj->merge($post); $obj->merge($this->cleanUserPost($post));
$data[$type] = $obj; $data[$type] = $obj;
} elseif (preg_match('|config/|', $type)) { } elseif (preg_match('|config/|', $type)) {
@@ -688,6 +688,25 @@ class Admin
return $data[$type]; return $data[$type];
} }
/**
* Clean user form post and remove extra stuff that may be passed along
*
* @param $post
* @return array
*/
protected function cleanUserPost($post)
{
// Clean fields for all users
unset($post['hashed_password']);
// Clean field for users who shouldn't be able to modify these fields
if (!$this->authorize(['admin.user', 'admin.super'])) {
unset($post['access']);
}
return $post;
}
protected function hasErrorMessage() protected function hasErrorMessage()
{ {
$msgs = $this->grav['messages']->all(); $msgs = $this->grav['messages']->all();