From 95ecc2bc805e75598328f94abac6dbefa4682165 Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Wed, 26 Jan 2022 15:28:10 +0100
Subject: [PATCH] fix: [security] fields not adhered to in CRUD components edit

- users can circumvent restrictions on editable fields
- can lead to privilege escalation when users edit themselves
---
 src/Controller/Component/CRUDComponent.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Controller/Component/CRUDComponent.php b/src/Controller/Component/CRUDComponent.php
index 8868399..8ec8692 100644
--- a/src/Controller/Component/CRUDComponent.php
+++ b/src/Controller/Component/CRUDComponent.php
@@ -307,6 +307,9 @@ class CRUDComponent extends Component
                 'associated' => []
             ];
             $input = $this->__massageInput($params);
+            if (!empty($params['fields'])) {
+                $patchEntityParams['fields'] = $params['fields'];
+            }
             $data = $this->Table->patchEntity($data, $input, $patchEntityParams);
             if (isset($params['beforeSave'])) {
                 $data = $params['beforeSave']($data);