github-mirror/framework
2
0
Fork 0
mirror of https://github.com/flarum/framework.git synced 2025-02-17 01:12:45 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix leak of private information when updating users

Browse Source
This commit is contained in:
Toby Zerner 2018-11-09 21:21:21 +10:30
parent c6aeeeb3c1
commit 0536b208e1
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/Api/Controller/UpdateUserController.php
View File

@ -11,6 +11,8 @@
namespace Flarum\Api\Controller; namespace Flarum\Api\Controller;
use Flarum\Api\Serializer\CurrentUserSerializer;
use Flarum\Api\Serializer\UserSerializer;
use Flarum\Core\Command\EditUser; use Flarum\Core\Command\EditUser;
use Flarum\Core\Exception\PermissionDeniedException; use Flarum\Core\Exception\PermissionDeniedException;
use Illuminate\Contracts\Bus\Dispatcher; use Illuminate\Contracts\Bus\Dispatcher;
@ -22,7 +24,7 @@ class UpdateUserController extends AbstractResourceController
/** /**
* {@inheritdoc} * {@inheritdoc}
*/ */
public $serializer = 'Flarum\Api\Serializer\CurrentUserSerializer'; public $serializer = UserSerializer::class;
/** /**
* {@inheritdoc} * {@inheritdoc}
@ -51,6 +53,10 @@ class UpdateUserController extends AbstractResourceController
$actor = $request->getAttribute('actor'); $actor = $request->getAttribute('actor');
$data = array_get($request->getParsedBody(), 'data', []); $data = array_get($request->getParsedBody(), 'data', []);
if ($actor->id == $id) {
$this->serializer = CurrentUserSerializer::class;
}
// Require the user's current password if they are attempting to change // Require the user's current password if they are attempting to change
// their own email address. // their own email address.
if (isset($data['attributes']['email']) && $actor->id == $id) { if (isset($data['attributes']['email']) && $actor->id == $id) {