Whitelist other incoming request params
This commit is contained in:
parent
b7833643c2
commit
e11814057d
7 changed files with 169 additions and 9 deletions
|
@ -114,13 +114,36 @@ class Admins extends EA_Controller {
|
|||
{
|
||||
try
|
||||
{
|
||||
$admin = request('admin');
|
||||
|
||||
if (cannot('add', PRIV_USERS))
|
||||
{
|
||||
abort(403, 'Forbidden');
|
||||
}
|
||||
|
||||
$admin = request('admin');
|
||||
|
||||
$this->admins_model->only($admin, [
|
||||
'first_name',
|
||||
'last_name',
|
||||
'email',
|
||||
'mobile_number',
|
||||
'phone_number',
|
||||
'address',
|
||||
'city',
|
||||
'state',
|
||||
'zip_code',
|
||||
'notes',
|
||||
'timezone',
|
||||
'language',
|
||||
'settings'
|
||||
]);
|
||||
|
||||
$this->admins_model->only($admin['settings'], [
|
||||
'username',
|
||||
'password',
|
||||
'notifications',
|
||||
'calendar_view'
|
||||
]);
|
||||
|
||||
$admin_id = $this->admins_model->save($admin);
|
||||
|
||||
json_response([
|
||||
|
@ -141,13 +164,37 @@ class Admins extends EA_Controller {
|
|||
{
|
||||
try
|
||||
{
|
||||
$admin = request('admin');
|
||||
|
||||
if (cannot('edit', PRIV_USERS))
|
||||
{
|
||||
abort(403, 'Forbidden');
|
||||
}
|
||||
|
||||
$admin = request('admin');
|
||||
|
||||
$this->admins_model->only($admin, [
|
||||
'id',
|
||||
'first_name',
|
||||
'last_name',
|
||||
'email',
|
||||
'mobile_number',
|
||||
'phone_number',
|
||||
'address',
|
||||
'city',
|
||||
'state',
|
||||
'zip_code',
|
||||
'notes',
|
||||
'timezone',
|
||||
'language',
|
||||
'settings'
|
||||
]);
|
||||
|
||||
$this->admins_model->only($admin['settings'], [
|
||||
'username',
|
||||
'password',
|
||||
'notifications',
|
||||
'calendar_view'
|
||||
]);
|
||||
|
||||
$admin_id = $this->admins_model->save($admin);
|
||||
|
||||
json_response([
|
||||
|
|
|
@ -92,6 +92,18 @@ class Appointments extends EA_Controller {
|
|||
abort(403, 'Forbidden');
|
||||
}
|
||||
|
||||
$this->appointments_model->only($appointment, [
|
||||
'start_datetime',
|
||||
'end_datetime',
|
||||
'location',
|
||||
'notes',
|
||||
'color',
|
||||
'is_unavailability',
|
||||
'id_users_provider',
|
||||
'id_users_customer',
|
||||
'id_services',
|
||||
]);
|
||||
|
||||
$appointment_id = $this->appointments_model->save($appointment);
|
||||
|
||||
json_response([
|
||||
|
@ -119,6 +131,19 @@ class Appointments extends EA_Controller {
|
|||
abort(403, 'Forbidden');
|
||||
}
|
||||
|
||||
$this->appointments_model->only($appointment, [
|
||||
'id',
|
||||
'start_datetime',
|
||||
'end_datetime',
|
||||
'location',
|
||||
'notes',
|
||||
'color',
|
||||
'is_unavailability',
|
||||
'id_users_provider',
|
||||
'id_users_customer',
|
||||
'id_services',
|
||||
]);
|
||||
|
||||
$appointment_id = $this->appointments_model->save($appointment);
|
||||
|
||||
json_response([
|
||||
|
|
|
@ -476,11 +476,37 @@ class Booking extends EA_Controller {
|
|||
|
||||
// Save customer language (the language which is used to render the booking page).
|
||||
$customer['language'] = session('language') ?? config('language');
|
||||
|
||||
$this->customers_model->only($customer, [
|
||||
'id',
|
||||
'first_name',
|
||||
'last_name',
|
||||
'email',
|
||||
'phone_number',
|
||||
'address',
|
||||
'city',
|
||||
'state',
|
||||
'zip_code',
|
||||
'timezone',
|
||||
'language',
|
||||
]);
|
||||
|
||||
$customer_id = $this->customers_model->save($customer);
|
||||
$customer = $this->customers_model->find($customer_id);
|
||||
|
||||
$appointment['id_users_customer'] = $customer_id;
|
||||
$appointment['is_unavailability'] = (int)$appointment['is_unavailability'];
|
||||
|
||||
$this->appointments_model->only($appointment, [
|
||||
'start_datetime',
|
||||
'end_datetime',
|
||||
'location',
|
||||
'notes',
|
||||
'is_unavailability',
|
||||
'id_users_provider',
|
||||
'id_users_customer',
|
||||
'id_services',
|
||||
]);
|
||||
|
||||
$appointment_id = $this->appointments_model->save($appointment);
|
||||
$appointment = $this->appointments_model->find($appointment_id);
|
||||
|
||||
|
|
|
@ -101,6 +101,12 @@ class Booking_settings extends EA_Controller {
|
|||
$setting['id'] = $existing_setting['id'];
|
||||
}
|
||||
|
||||
$this->settings_model->only($setting, [
|
||||
'id',
|
||||
'name',
|
||||
'value'
|
||||
]);
|
||||
|
||||
$this->settings_model->save($setting);
|
||||
}
|
||||
|
||||
|
|
|
@ -103,6 +103,12 @@ class Business_settings extends EA_Controller {
|
|||
$setting['id'] = $existing_setting['id'];
|
||||
}
|
||||
|
||||
$this->settings_model->only($setting, [
|
||||
'id',
|
||||
'name',
|
||||
'value'
|
||||
]);
|
||||
|
||||
$this->settings_model->save($setting);
|
||||
}
|
||||
|
||||
|
|
|
@ -190,6 +190,20 @@ class Calendar extends EA_Controller {
|
|||
throw new Exception('You do not have the required permissions for this task.');
|
||||
}
|
||||
|
||||
$this->customers_model->only($customer, [
|
||||
'id',
|
||||
'first_name',
|
||||
'last_name',
|
||||
'email',
|
||||
'phone_number',
|
||||
'address',
|
||||
'city',
|
||||
'state',
|
||||
'zip_code',
|
||||
'timezone',
|
||||
'language',
|
||||
]);
|
||||
|
||||
$customer['id'] = $this->customers_model->save($customer);
|
||||
}
|
||||
|
||||
|
@ -218,6 +232,19 @@ class Calendar extends EA_Controller {
|
|||
$appointment['id_users_customer'] = $customer['id'] ?? $customer_data['id'];
|
||||
}
|
||||
|
||||
$this->appointments_model->only($appointment, [
|
||||
'id',
|
||||
'start_datetime',
|
||||
'end_datetime',
|
||||
'location',
|
||||
'notes',
|
||||
'color',
|
||||
'is_unavailability',
|
||||
'id_users_provider',
|
||||
'id_users_customer',
|
||||
'id_services',
|
||||
]);
|
||||
|
||||
$appointment['id'] = $this->appointments_model->save($appointment);
|
||||
}
|
||||
|
||||
|
@ -329,6 +356,9 @@ class Calendar extends EA_Controller {
|
|||
$provider = $this->providers_model->find($unavailability['id_users_provider']);
|
||||
|
||||
// Add appointment
|
||||
|
||||
|
||||
|
||||
$unavailability['id'] = $this->unavailabilities_model->save($unavailability);
|
||||
|
||||
$unavailability = $this->unavailabilities_model->find($unavailability['id']); // fetch all inserted data
|
||||
|
@ -348,6 +378,15 @@ class Calendar extends EA_Controller {
|
|||
{
|
||||
$google_event = $this->google_sync->add_unavailability($provider, $unavailability);
|
||||
$unavailability['id_google_calendar'] = $google_event->id;
|
||||
|
||||
$this->unavailabilities_model->only($unavailability, [
|
||||
'start_datetime',
|
||||
'end_datetime',
|
||||
'is_unavailability',
|
||||
'notes',
|
||||
'id_users_provider'
|
||||
]);
|
||||
|
||||
$this->unavailabilities_model->save($unavailability);
|
||||
}
|
||||
else
|
||||
|
|
|
@ -112,13 +112,18 @@ class Categories extends EA_Controller {
|
|||
{
|
||||
try
|
||||
{
|
||||
$category = request('category');
|
||||
|
||||
if (cannot('add', PRIV_SERVICES))
|
||||
{
|
||||
abort(403, 'Forbidden');
|
||||
}
|
||||
|
||||
$category = request('category');
|
||||
|
||||
$this->categories_model->only($category, [
|
||||
'name',
|
||||
'description'
|
||||
]);
|
||||
|
||||
$category_id = $this->categories_model->save($category);
|
||||
|
||||
json_response([
|
||||
|
@ -139,13 +144,19 @@ class Categories extends EA_Controller {
|
|||
{
|
||||
try
|
||||
{
|
||||
$category = request('category');
|
||||
|
||||
if (cannot('edit', PRIV_SERVICES))
|
||||
{
|
||||
abort(403, 'Forbidden');
|
||||
}
|
||||
|
||||
$category = request('category');
|
||||
|
||||
$this->categories_model->only($category, [
|
||||
'id',
|
||||
'name',
|
||||
'description'
|
||||
]);
|
||||
|
||||
$category_id = $this->categories_model->save($category);
|
||||
|
||||
json_response([
|
||||
|
|
Loading…
Reference in a new issue