fix(auth): switch user edit to field allowlist

ardelato · ardelato · commit ecef4ffd985d · 2026-04-24T10:23:33.000-07:00
The edit() method passed $request-&gt;post() directly to User::update()
after unsetting only a few keys. This denylist approach allowed
injection of sensitive fields like role and api_token. Switching to
$request-&gt;only() ensures only explicitly listed profile fields can
be mass-assigned through this endpoint.
diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
@@ -819,34 +819,30 @@ public function edit($id, Request $request)
             $Groups = new Group;
             $Groups = $Groups->findAll();
 
-            $data = $request->post();
-
             if (! Fixometer::hasRole($User->find($id), 'Administrator')) {
-                $sent_groups = $data['groups'];
+                $sent_groups = $request->input('groups');
             }
 
+            $data = $request->only([
+                'name', 'email', 'location', 'age', 'gender', 'country_code',
+                'biography', 'language', 'newsletter', 'invites',
+            ]);
+
             $error = false;
             // check for email in use
             $editingUser = $User->find($id);
             if ($editingUser->email !== $data['email'] && ! $User->checkEmail($data['email'])) {
                 $error['email'] = 'The email you entered is already in use in our database. Please use another one.';
             }
 
-            if (! empty($data['new-password'])) {
-                if ($data['new-password'] !== $data['password-confirm']) {
+            if (! empty($request->input('new-password'))) {
+                if ($request->input('new-password') !== $request->input('password-confirm')) {
                     $error['password'] = 'The passwords are not identical!';
                 } else {
-                    $data['password'] = Hash::make($data['new-password']);
+                    $data['password'] = Hash::make($request->input('new-password'));
                 }
             }
 
-            unset($data['new-password']);
-            unset($data['password-confirm']);
-
-            unset($data['groups']);
-            unset($data['profile']);
-            unset($data['id']);
-
             if (! is_array($error)) {
                 $u = $User->find($id)->update($data);
 
