Whitelist other incoming request params
This commit is contained in:
parent
b7833643c2
commit
e11814057d
7 changed files with 169 additions and 9 deletions
|
@ -114,13 +114,36 @@ class Admins extends EA_Controller {
|
||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$admin = request('admin');
|
|
||||||
|
|
||||||
if (cannot('add', PRIV_USERS))
|
if (cannot('add', PRIV_USERS))
|
||||||
{
|
{
|
||||||
abort(403, 'Forbidden');
|
abort(403, 'Forbidden');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$admin = request('admin');
|
||||||
|
|
||||||
|
$this->admins_model->only($admin, [
|
||||||
|
'first_name',
|
||||||
|
'last_name',
|
||||||
|
'email',
|
||||||
|
'mobile_number',
|
||||||
|
'phone_number',
|
||||||
|
'address',
|
||||||
|
'city',
|
||||||
|
'state',
|
||||||
|
'zip_code',
|
||||||
|
'notes',
|
||||||
|
'timezone',
|
||||||
|
'language',
|
||||||
|
'settings'
|
||||||
|
]);
|
||||||
|
|
||||||
|
$this->admins_model->only($admin['settings'], [
|
||||||
|
'username',
|
||||||
|
'password',
|
||||||
|
'notifications',
|
||||||
|
'calendar_view'
|
||||||
|
]);
|
||||||
|
|
||||||
$admin_id = $this->admins_model->save($admin);
|
$admin_id = $this->admins_model->save($admin);
|
||||||
|
|
||||||
json_response([
|
json_response([
|
||||||
|
@ -141,13 +164,37 @@ class Admins extends EA_Controller {
|
||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$admin = request('admin');
|
|
||||||
|
|
||||||
if (cannot('edit', PRIV_USERS))
|
if (cannot('edit', PRIV_USERS))
|
||||||
{
|
{
|
||||||
abort(403, 'Forbidden');
|
abort(403, 'Forbidden');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$admin = request('admin');
|
||||||
|
|
||||||
|
$this->admins_model->only($admin, [
|
||||||
|
'id',
|
||||||
|
'first_name',
|
||||||
|
'last_name',
|
||||||
|
'email',
|
||||||
|
'mobile_number',
|
||||||
|
'phone_number',
|
||||||
|
'address',
|
||||||
|
'city',
|
||||||
|
'state',
|
||||||
|
'zip_code',
|
||||||
|
'notes',
|
||||||
|
'timezone',
|
||||||
|
'language',
|
||||||
|
'settings'
|
||||||
|
]);
|
||||||
|
|
||||||
|
$this->admins_model->only($admin['settings'], [
|
||||||
|
'username',
|
||||||
|
'password',
|
||||||
|
'notifications',
|
||||||
|
'calendar_view'
|
||||||
|
]);
|
||||||
|
|
||||||
$admin_id = $this->admins_model->save($admin);
|
$admin_id = $this->admins_model->save($admin);
|
||||||
|
|
||||||
json_response([
|
json_response([
|
||||||
|
|
|
@ -92,6 +92,18 @@ class Appointments extends EA_Controller {
|
||||||
abort(403, 'Forbidden');
|
abort(403, 'Forbidden');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$this->appointments_model->only($appointment, [
|
||||||
|
'start_datetime',
|
||||||
|
'end_datetime',
|
||||||
|
'location',
|
||||||
|
'notes',
|
||||||
|
'color',
|
||||||
|
'is_unavailability',
|
||||||
|
'id_users_provider',
|
||||||
|
'id_users_customer',
|
||||||
|
'id_services',
|
||||||
|
]);
|
||||||
|
|
||||||
$appointment_id = $this->appointments_model->save($appointment);
|
$appointment_id = $this->appointments_model->save($appointment);
|
||||||
|
|
||||||
json_response([
|
json_response([
|
||||||
|
@ -119,6 +131,19 @@ class Appointments extends EA_Controller {
|
||||||
abort(403, 'Forbidden');
|
abort(403, 'Forbidden');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$this->appointments_model->only($appointment, [
|
||||||
|
'id',
|
||||||
|
'start_datetime',
|
||||||
|
'end_datetime',
|
||||||
|
'location',
|
||||||
|
'notes',
|
||||||
|
'color',
|
||||||
|
'is_unavailability',
|
||||||
|
'id_users_provider',
|
||||||
|
'id_users_customer',
|
||||||
|
'id_services',
|
||||||
|
]);
|
||||||
|
|
||||||
$appointment_id = $this->appointments_model->save($appointment);
|
$appointment_id = $this->appointments_model->save($appointment);
|
||||||
|
|
||||||
json_response([
|
json_response([
|
||||||
|
|
|
@ -476,11 +476,37 @@ class Booking extends EA_Controller {
|
||||||
|
|
||||||
// Save customer language (the language which is used to render the booking page).
|
// Save customer language (the language which is used to render the booking page).
|
||||||
$customer['language'] = session('language') ?? config('language');
|
$customer['language'] = session('language') ?? config('language');
|
||||||
|
|
||||||
|
$this->customers_model->only($customer, [
|
||||||
|
'id',
|
||||||
|
'first_name',
|
||||||
|
'last_name',
|
||||||
|
'email',
|
||||||
|
'phone_number',
|
||||||
|
'address',
|
||||||
|
'city',
|
||||||
|
'state',
|
||||||
|
'zip_code',
|
||||||
|
'timezone',
|
||||||
|
'language',
|
||||||
|
]);
|
||||||
|
|
||||||
$customer_id = $this->customers_model->save($customer);
|
$customer_id = $this->customers_model->save($customer);
|
||||||
$customer = $this->customers_model->find($customer_id);
|
$customer = $this->customers_model->find($customer_id);
|
||||||
|
|
||||||
$appointment['id_users_customer'] = $customer_id;
|
$appointment['id_users_customer'] = $customer_id;
|
||||||
$appointment['is_unavailability'] = (int)$appointment['is_unavailability'];
|
|
||||||
|
$this->appointments_model->only($appointment, [
|
||||||
|
'start_datetime',
|
||||||
|
'end_datetime',
|
||||||
|
'location',
|
||||||
|
'notes',
|
||||||
|
'is_unavailability',
|
||||||
|
'id_users_provider',
|
||||||
|
'id_users_customer',
|
||||||
|
'id_services',
|
||||||
|
]);
|
||||||
|
|
||||||
$appointment_id = $this->appointments_model->save($appointment);
|
$appointment_id = $this->appointments_model->save($appointment);
|
||||||
$appointment = $this->appointments_model->find($appointment_id);
|
$appointment = $this->appointments_model->find($appointment_id);
|
||||||
|
|
||||||
|
|
|
@ -101,6 +101,12 @@ class Booking_settings extends EA_Controller {
|
||||||
$setting['id'] = $existing_setting['id'];
|
$setting['id'] = $existing_setting['id'];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$this->settings_model->only($setting, [
|
||||||
|
'id',
|
||||||
|
'name',
|
||||||
|
'value'
|
||||||
|
]);
|
||||||
|
|
||||||
$this->settings_model->save($setting);
|
$this->settings_model->save($setting);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -103,6 +103,12 @@ class Business_settings extends EA_Controller {
|
||||||
$setting['id'] = $existing_setting['id'];
|
$setting['id'] = $existing_setting['id'];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$this->settings_model->only($setting, [
|
||||||
|
'id',
|
||||||
|
'name',
|
||||||
|
'value'
|
||||||
|
]);
|
||||||
|
|
||||||
$this->settings_model->save($setting);
|
$this->settings_model->save($setting);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -190,6 +190,20 @@ class Calendar extends EA_Controller {
|
||||||
throw new Exception('You do not have the required permissions for this task.');
|
throw new Exception('You do not have the required permissions for this task.');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$this->customers_model->only($customer, [
|
||||||
|
'id',
|
||||||
|
'first_name',
|
||||||
|
'last_name',
|
||||||
|
'email',
|
||||||
|
'phone_number',
|
||||||
|
'address',
|
||||||
|
'city',
|
||||||
|
'state',
|
||||||
|
'zip_code',
|
||||||
|
'timezone',
|
||||||
|
'language',
|
||||||
|
]);
|
||||||
|
|
||||||
$customer['id'] = $this->customers_model->save($customer);
|
$customer['id'] = $this->customers_model->save($customer);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -218,6 +232,19 @@ class Calendar extends EA_Controller {
|
||||||
$appointment['id_users_customer'] = $customer['id'] ?? $customer_data['id'];
|
$appointment['id_users_customer'] = $customer['id'] ?? $customer_data['id'];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$this->appointments_model->only($appointment, [
|
||||||
|
'id',
|
||||||
|
'start_datetime',
|
||||||
|
'end_datetime',
|
||||||
|
'location',
|
||||||
|
'notes',
|
||||||
|
'color',
|
||||||
|
'is_unavailability',
|
||||||
|
'id_users_provider',
|
||||||
|
'id_users_customer',
|
||||||
|
'id_services',
|
||||||
|
]);
|
||||||
|
|
||||||
$appointment['id'] = $this->appointments_model->save($appointment);
|
$appointment['id'] = $this->appointments_model->save($appointment);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -329,6 +356,9 @@ class Calendar extends EA_Controller {
|
||||||
$provider = $this->providers_model->find($unavailability['id_users_provider']);
|
$provider = $this->providers_model->find($unavailability['id_users_provider']);
|
||||||
|
|
||||||
// Add appointment
|
// Add appointment
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
$unavailability['id'] = $this->unavailabilities_model->save($unavailability);
|
$unavailability['id'] = $this->unavailabilities_model->save($unavailability);
|
||||||
|
|
||||||
$unavailability = $this->unavailabilities_model->find($unavailability['id']); // fetch all inserted data
|
$unavailability = $this->unavailabilities_model->find($unavailability['id']); // fetch all inserted data
|
||||||
|
@ -348,6 +378,15 @@ class Calendar extends EA_Controller {
|
||||||
{
|
{
|
||||||
$google_event = $this->google_sync->add_unavailability($provider, $unavailability);
|
$google_event = $this->google_sync->add_unavailability($provider, $unavailability);
|
||||||
$unavailability['id_google_calendar'] = $google_event->id;
|
$unavailability['id_google_calendar'] = $google_event->id;
|
||||||
|
|
||||||
|
$this->unavailabilities_model->only($unavailability, [
|
||||||
|
'start_datetime',
|
||||||
|
'end_datetime',
|
||||||
|
'is_unavailability',
|
||||||
|
'notes',
|
||||||
|
'id_users_provider'
|
||||||
|
]);
|
||||||
|
|
||||||
$this->unavailabilities_model->save($unavailability);
|
$this->unavailabilities_model->save($unavailability);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
|
|
@ -112,13 +112,18 @@ class Categories extends EA_Controller {
|
||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$category = request('category');
|
|
||||||
|
|
||||||
if (cannot('add', PRIV_SERVICES))
|
if (cannot('add', PRIV_SERVICES))
|
||||||
{
|
{
|
||||||
abort(403, 'Forbidden');
|
abort(403, 'Forbidden');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$category = request('category');
|
||||||
|
|
||||||
|
$this->categories_model->only($category, [
|
||||||
|
'name',
|
||||||
|
'description'
|
||||||
|
]);
|
||||||
|
|
||||||
$category_id = $this->categories_model->save($category);
|
$category_id = $this->categories_model->save($category);
|
||||||
|
|
||||||
json_response([
|
json_response([
|
||||||
|
@ -139,13 +144,19 @@ class Categories extends EA_Controller {
|
||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$category = request('category');
|
|
||||||
|
|
||||||
if (cannot('edit', PRIV_SERVICES))
|
if (cannot('edit', PRIV_SERVICES))
|
||||||
{
|
{
|
||||||
abort(403, 'Forbidden');
|
abort(403, 'Forbidden');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$category = request('category');
|
||||||
|
|
||||||
|
$this->categories_model->only($category, [
|
||||||
|
'id',
|
||||||
|
'name',
|
||||||
|
'description'
|
||||||
|
]);
|
||||||
|
|
||||||
$category_id = $this->categories_model->save($category);
|
$category_id = $this->categories_model->save($category);
|
||||||
|
|
||||||
json_response([
|
json_response([
|
||||||
|
|
Loading…
Reference in a new issue