cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [security] fields not adhered to in CRUD components edit 

- users can circumvent restrictions on editable fields
- can lead to privilege escalation when users edit themselves
cli-modification-summary
iglocska 2022-01-26 15:28:10 +01:00
parent 006b0aab99
commit 95ecc2bc80
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/Controller/Component/CRUDComponent.php
View File

@ -307,6 +307,9 @@ class CRUDComponent extends Component
'associated' => []
];
$input = $this->__massageInput($params);
if (!empty($params['fields'])) {
$patchEntityParams['fields'] = $params['fields'];
}
$data = $this->Table->patchEntity($data, $input, $patchEntityParams);
if (isset($params['beforeSave'])) {
$data = $params['beforeSave']($data);