Whitelist other incoming request params

This commit is contained in:
Alex Tselegidis 2022-03-25 12:29:17 +01:00
parent b7833643c2
commit e11814057d
7 changed files with 169 additions and 9 deletions

View file

@ -114,13 +114,36 @@ class Admins extends EA_Controller {
{ {
try try
{ {
$admin = request('admin');
if (cannot('add', PRIV_USERS)) if (cannot('add', PRIV_USERS))
{ {
abort(403, 'Forbidden'); abort(403, 'Forbidden');
} }
$admin = request('admin');
$this->admins_model->only($admin, [
'first_name',
'last_name',
'email',
'mobile_number',
'phone_number',
'address',
'city',
'state',
'zip_code',
'notes',
'timezone',
'language',
'settings'
]);
$this->admins_model->only($admin['settings'], [
'username',
'password',
'notifications',
'calendar_view'
]);
$admin_id = $this->admins_model->save($admin); $admin_id = $this->admins_model->save($admin);
json_response([ json_response([
@ -141,13 +164,37 @@ class Admins extends EA_Controller {
{ {
try try
{ {
$admin = request('admin');
if (cannot('edit', PRIV_USERS)) if (cannot('edit', PRIV_USERS))
{ {
abort(403, 'Forbidden'); abort(403, 'Forbidden');
} }
$admin = request('admin');
$this->admins_model->only($admin, [
'id',
'first_name',
'last_name',
'email',
'mobile_number',
'phone_number',
'address',
'city',
'state',
'zip_code',
'notes',
'timezone',
'language',
'settings'
]);
$this->admins_model->only($admin['settings'], [
'username',
'password',
'notifications',
'calendar_view'
]);
$admin_id = $this->admins_model->save($admin); $admin_id = $this->admins_model->save($admin);
json_response([ json_response([

View file

@ -92,6 +92,18 @@ class Appointments extends EA_Controller {
abort(403, 'Forbidden'); abort(403, 'Forbidden');
} }
$this->appointments_model->only($appointment, [
'start_datetime',
'end_datetime',
'location',
'notes',
'color',
'is_unavailability',
'id_users_provider',
'id_users_customer',
'id_services',
]);
$appointment_id = $this->appointments_model->save($appointment); $appointment_id = $this->appointments_model->save($appointment);
json_response([ json_response([
@ -119,6 +131,19 @@ class Appointments extends EA_Controller {
abort(403, 'Forbidden'); abort(403, 'Forbidden');
} }
$this->appointments_model->only($appointment, [
'id',
'start_datetime',
'end_datetime',
'location',
'notes',
'color',
'is_unavailability',
'id_users_provider',
'id_users_customer',
'id_services',
]);
$appointment_id = $this->appointments_model->save($appointment); $appointment_id = $this->appointments_model->save($appointment);
json_response([ json_response([

View file

@ -476,11 +476,37 @@ class Booking extends EA_Controller {
// Save customer language (the language which is used to render the booking page). // Save customer language (the language which is used to render the booking page).
$customer['language'] = session('language') ?? config('language'); $customer['language'] = session('language') ?? config('language');
$this->customers_model->only($customer, [
'id',
'first_name',
'last_name',
'email',
'phone_number',
'address',
'city',
'state',
'zip_code',
'timezone',
'language',
]);
$customer_id = $this->customers_model->save($customer); $customer_id = $this->customers_model->save($customer);
$customer = $this->customers_model->find($customer_id); $customer = $this->customers_model->find($customer_id);
$appointment['id_users_customer'] = $customer_id; $appointment['id_users_customer'] = $customer_id;
$appointment['is_unavailability'] = (int)$appointment['is_unavailability'];
$this->appointments_model->only($appointment, [
'start_datetime',
'end_datetime',
'location',
'notes',
'is_unavailability',
'id_users_provider',
'id_users_customer',
'id_services',
]);
$appointment_id = $this->appointments_model->save($appointment); $appointment_id = $this->appointments_model->save($appointment);
$appointment = $this->appointments_model->find($appointment_id); $appointment = $this->appointments_model->find($appointment_id);

View file

@ -101,6 +101,12 @@ class Booking_settings extends EA_Controller {
$setting['id'] = $existing_setting['id']; $setting['id'] = $existing_setting['id'];
} }
$this->settings_model->only($setting, [
'id',
'name',
'value'
]);
$this->settings_model->save($setting); $this->settings_model->save($setting);
} }

View file

@ -103,6 +103,12 @@ class Business_settings extends EA_Controller {
$setting['id'] = $existing_setting['id']; $setting['id'] = $existing_setting['id'];
} }
$this->settings_model->only($setting, [
'id',
'name',
'value'
]);
$this->settings_model->save($setting); $this->settings_model->save($setting);
} }

View file

@ -190,6 +190,20 @@ class Calendar extends EA_Controller {
throw new Exception('You do not have the required permissions for this task.'); throw new Exception('You do not have the required permissions for this task.');
} }
$this->customers_model->only($customer, [
'id',
'first_name',
'last_name',
'email',
'phone_number',
'address',
'city',
'state',
'zip_code',
'timezone',
'language',
]);
$customer['id'] = $this->customers_model->save($customer); $customer['id'] = $this->customers_model->save($customer);
} }
@ -218,6 +232,19 @@ class Calendar extends EA_Controller {
$appointment['id_users_customer'] = $customer['id'] ?? $customer_data['id']; $appointment['id_users_customer'] = $customer['id'] ?? $customer_data['id'];
} }
$this->appointments_model->only($appointment, [
'id',
'start_datetime',
'end_datetime',
'location',
'notes',
'color',
'is_unavailability',
'id_users_provider',
'id_users_customer',
'id_services',
]);
$appointment['id'] = $this->appointments_model->save($appointment); $appointment['id'] = $this->appointments_model->save($appointment);
} }
@ -329,6 +356,9 @@ class Calendar extends EA_Controller {
$provider = $this->providers_model->find($unavailability['id_users_provider']); $provider = $this->providers_model->find($unavailability['id_users_provider']);
// Add appointment // Add appointment
$unavailability['id'] = $this->unavailabilities_model->save($unavailability); $unavailability['id'] = $this->unavailabilities_model->save($unavailability);
$unavailability = $this->unavailabilities_model->find($unavailability['id']); // fetch all inserted data $unavailability = $this->unavailabilities_model->find($unavailability['id']); // fetch all inserted data
@ -348,6 +378,15 @@ class Calendar extends EA_Controller {
{ {
$google_event = $this->google_sync->add_unavailability($provider, $unavailability); $google_event = $this->google_sync->add_unavailability($provider, $unavailability);
$unavailability['id_google_calendar'] = $google_event->id; $unavailability['id_google_calendar'] = $google_event->id;
$this->unavailabilities_model->only($unavailability, [
'start_datetime',
'end_datetime',
'is_unavailability',
'notes',
'id_users_provider'
]);
$this->unavailabilities_model->save($unavailability); $this->unavailabilities_model->save($unavailability);
} }
else else

View file

@ -112,13 +112,18 @@ class Categories extends EA_Controller {
{ {
try try
{ {
$category = request('category');
if (cannot('add', PRIV_SERVICES)) if (cannot('add', PRIV_SERVICES))
{ {
abort(403, 'Forbidden'); abort(403, 'Forbidden');
} }
$category = request('category');
$this->categories_model->only($category, [
'name',
'description'
]);
$category_id = $this->categories_model->save($category); $category_id = $this->categories_model->save($category);
json_response([ json_response([
@ -139,13 +144,19 @@ class Categories extends EA_Controller {
{ {
try try
{ {
$category = request('category');
if (cannot('edit', PRIV_SERVICES)) if (cannot('edit', PRIV_SERVICES))
{ {
abort(403, 'Forbidden'); abort(403, 'Forbidden');
} }
$category = request('category');
$this->categories_model->only($category, [
'id',
'name',
'description'
]);
$category_id = $this->categories_model->save($category); $category_id = $this->categories_model->save($category);
json_response([ json_response([