Whitelist incoming account update request params (#1225)

application/controllers/Account.php

@@ -91,6 +91,32 @@ class Account extends EA_Controller {
 
             $account = request('account');
 
+            $account['id'] = session('user_id');
+
+            $this->users_model->only($account, [
+                'id',
+                'first_name',
+                'last_name',
+                'email',
+                'mobile_number',
+                'phone_number',
+                'address',
+                'city',
+                'state',
+                'zip_code',
+                'notes',
+                'timezone',
+                'language',
+                'settings'
+            ]);
+            
+            $this->users_model->only($account['settings'], [
+                'username',
+                'password',
+                'notifications',
+                'calendar_view'
+            ]);
+
             $this->users_model->save($account);
 
             session([