From b7833643c237f8b466e1cc48d31a8b0216839586 Mon Sep 17 00:00:00 2001
From: Alex Tselegidis <alextselegidis@gmail.com>
Date: Fri, 25 Mar 2022 11:59:00 +0100
Subject: [PATCH] Whitelist incoming account update request params (#1225)

---
 application/controllers/Account.php | 30 +++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/application/controllers/Account.php b/application/controllers/Account.php
index f11a1675..75fdf25d 100644
--- a/application/controllers/Account.php
+++ b/application/controllers/Account.php
@@ -48,7 +48,7 @@ class Account extends EA_Controller {
         session(['dest_url' => site_url('account')]);
 
         $user_id = session('user_id');
-        
+
         if (cannot('view', PRIV_USER_SETTINGS))
         {
             if ($user_id)
@@ -91,6 +91,32 @@ class Account extends EA_Controller {
 
             $account = request('account');
 
+            $account['id'] = session('user_id');
+
+            $this->users_model->only($account, [
+                'id',
+                'first_name',
+                'last_name',
+                'email',
+                'mobile_number',
+                'phone_number',
+                'address',
+                'city',
+                'state',
+                'zip_code',
+                'notes',
+                'timezone',
+                'language',
+                'settings'
+            ]);
+            
+            $this->users_model->only($account['settings'], [
+                'username',
+                'password',
+                'notifications',
+                'calendar_view'
+            ]);
+
             $this->users_model->save($account);
 
             session([
@@ -140,7 +166,7 @@ class Account extends EA_Controller {
         try
         {
             // Check if language exists in the available languages.
-            
+
             $found = FALSE;
 
             foreach (config('available_languages') as $lang)