Merge branch 'sec_26_03_2' into development

Author: ssddanbrown

app/Access/Controllers/RegisterController.php

@@ -48,8 +48,7 @@ public function getRegister()
     public function postRegister(Request $request)
     {
         $this->registrationService->ensureRegistrationAllowed();
-        $this->validator($request->all())->validate();
-        $userData = $request->all();
+        $userData = $this->validator($request->all())->validate();
 
         try {
             $user = $this->registrationService->registerUser($userData);

app/Access/RegistrationService.php

@@ -83,7 +83,7 @@ public function registerUser(array $userData, ?SocialAccount $socialAccount = nu
         // Email restriction
         $this->ensureEmailDomainAllowed($userEmail);
 
-        // Ensure user does not already exist
+        // Ensure the user does not already exist
         $alreadyUser = !is_null($this->userRepo->getByEmail($userEmail));
         if ($alreadyUser) {
             throw new UserRegistrationException(trans('errors.error_user_exists_different_creds', ['email' => $userEmail]), '/login');
@@ -99,15 +99,15 @@ public function registerUser(array $userData, ?SocialAccount $socialAccount = nu
         $newUser = $this->userRepo->createWithoutActivity($userData, $emailConfirmed);
         $newUser->attachDefaultRole();
 
-        // Assign social account if given
+        // Assign a social account if given
         if ($socialAccount) {
             $newUser->socialAccounts()->save($socialAccount);
         }
 
         Activity::add(ActivityType::AUTH_REGISTER, $socialAccount ?? $newUser);
         Theme::dispatch(ThemeEvents::AUTH_REGISTER, $authSystem, $newUser);
 
-        // Start email confirmation flow if required
+        // Start the email confirmation flow if required
         if ($this->emailConfirmationService->confirmationRequired() && !$emailConfirmed) {
             $newUser->save();
 

tests/Auth/RegistrationTest.php

@@ -188,6 +188,30 @@ public function test_registration_validation()
         $resp->assertSee('The password must be at least 8 characters.');
     }
 
+    public function test_registration_input_filtered_to_validated_input()
+    {
+        $this->setSettings(['registration-enabled' => 'true']);
+        $roleIds = Role::all()->pluck('id')->toArray();
+
+        $resp = $this->post('/register', [
+            'name'     => 'Barry',
+            'email'    => 'barry@example.com',
+            'password' => 'superpassword',
+            'password_confirmation' => 'superpassword',
+            'external_auth_id' => 'ext5691284',
+            'roles' => $roleIds,
+        ]);
+
+        $resp->assertRedirect('/');
+
+        /** @var User $user */
+        $user = auth()->user();
+        $this->assertNotNull($user);
+        $this->assertFalse($user->isGuest());
+        $this->assertEmpty($user->external_auth_id);
+        $this->assertEquals(0, $user->roles()->count());
+    }
+
     public function test_registration_simple_honeypot_active()
     {
         $this->setSettings(['registration-enabled' => 'true']);