Issue #15 santinize method modified to take user param by reference

vaishali · vaishali · commit d5b736f56ae5 · 2019-05-10T14:32:05.000+05:30
diff --git a/src/users/user.php b/src/users/user.php
@@ -19,6 +19,14 @@
  */
 class UsersApiResourceUser extends ApiResource
 {
+	/**
+	 * Array of fields to be unset
+	 *
+	 * @var    array
+	 * @since  2.0.1
+	 */
+	private $fieldsToSanitize = array('password', 'password_clear', 'otpKey', 'otep');
+
 	/**
 	 * Function to create and edit user record.
 	 *
@@ -33,17 +41,22 @@ public function post()
 		$formData       = $app->input->getArray();
 		$userIdentifier = $app->input->get('id', 0, 'string');
 
+		if (isset($formData['fields']))
+		{
+			$formData['com_fields'] = $formData['fields'];
+			unset($formData['fields']);
+		}
+
 		// Get current logged in user.
 		$me = $this->plugin->get('user');
+		$iAmSuperAdmin = $me->authorise('core.create');
 
 		if (!empty($userIdentifier))
 		{
 			$user = $this->retriveUser($userIdentifier);
 
 			if (!empty($user->id))
 			{
-				$iAmSuperAdmin = $me->authorise('core.admin');
-
 				// Check if regular user is trying to update his/her own profile OR if user is superadmin
 				if ($me->id == $user->id || $iAmSuperAdmin)
 				{
@@ -81,6 +94,13 @@ public function post()
 		// Check if $userIdentifier is not set - POST / CREATE user case
 		else
 		{
+			if (!$iAmSuperAdmin)
+			{
+				ApiError::raiseError(400, JText::_('JERROR_ALERTNOAUTHOR'));
+
+				return;
+			}
+
 			// Validate required fields
 			if ($formData['username'] == '' || $formData['name'] == '' || $formData['email'] == '')
 			{
@@ -109,24 +129,21 @@ public function post()
 	/**
 	 * Funtion to remove sensitive user info fields like password
 	 *
-	 * @param   Object  $user    The user object.
-	 * @param   Array   $fields  Array of fields to be unset
+	 * @param   Object  &$user  The user object.
 	 *
 	 * @return  object|void  $user
 	 *
 	 * @since   2.0.1
 	 */
-	protected function sanitizeUserFields($user, $fields = array('password', 'password_clear', 'otpKey', 'otep'))
+	protected function sanitizeUserFields(&$user)
 	{
-		foreach ($fields as $f)
+		foreach ($this->fieldsToSanitize as $f)
 		{
 			if (isset($user->{$f}))
 			{
 				unset($user->{$f});
 			}
 		}
-
-		return $user;
 	}
 
 	/**
@@ -167,7 +184,7 @@ public function get()
 			}
 		}
 
-		$user = $this->sanitizeUserFields($user);
+		$this->sanitizeUserFields($user);
 
 		$this->plugin->setResponse($user);
 	}
@@ -328,7 +345,7 @@ private function retriveUser($userIdentifier)
 
 		// Flag to differentiate the column value
 		$app            = JFactory::getApplication();
-		$xIdentifier    = $app->input->server->get('HTTP_X_IDENTIFIER', '', 'string');
+		$xIdentifier    = $app->input->server->get('HTTP_X_IDENTIFIER', '', 'WORD');
 
 		switch ($xIdentifier)
 		{

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,14 @@`
`19`	`19`	`*/`
`20`	`20`	`class UsersApiResourceUser extends ApiResource`
`21`	`21`	`{`
	`22`	`+ /**`
	`23`	`+ * Array of fields to be unset`
	`24`	`+ *`
	`25`	`+ * @var array`
	`26`	`+ * @since 2.0.1`
	`27`	`+ */`
	`28`	`+ private $fieldsToSanitize = array('password', 'password_clear', 'otpKey', 'otep');`
	`29`	`+`
`22`	`30`	`/**`
`23`	`31`	`* Function to create and edit user record.`
`24`	`32`	`*`
`@@ -33,17 +41,22 @@ public function post()`
`33`	`41`	`$formData = $app->input->getArray();`
`34`	`42`	`$userIdentifier = $app->input->get('id', 0, 'string');`
`35`	`43`
	`44`	`+ if (isset($formData['fields']))`
	`45`	`+ {`
	`46`	`+ $formData['com_fields'] = $formData['fields'];`
	`47`	`+ unset($formData['fields']);`
	`48`	`+ }`
	`49`	`+`
`36`	`50`	`// Get current logged in user.`
`37`	`51`	`$me = $this->plugin->get('user');`
	`52`	`+ $iAmSuperAdmin = $me->authorise('core.create');`
`38`	`53`
`39`	`54`	`if (!empty($userIdentifier))`
`40`	`55`	`{`
`41`	`56`	`$user = $this->retriveUser($userIdentifier);`
`42`	`57`
`43`	`58`	`if (!empty($user->id))`
`44`	`59`	`{`
`45`		`- $iAmSuperAdmin = $me->authorise('core.admin');`
`46`		`-`
`47`	`60`	`// Check if regular user is trying to update his/her own profile OR if user is superadmin`
`48`	`61`	`if ($me->id == $user->id \|\| $iAmSuperAdmin)`
`49`	`62`	`{`
`@@ -81,6 +94,13 @@ public function post()`
`81`	`94`	`// Check if $userIdentifier is not set - POST / CREATE user case`
`82`	`95`	`else`
`83`	`96`	`{`
	`97`	`+ if (!$iAmSuperAdmin)`
	`98`	`+ {`
	`99`	`+ ApiError::raiseError(400, JText::_('JERROR_ALERTNOAUTHOR'));`
	`100`	`+`
	`101`	`+ return;`
	`102`	`+ }`
	`103`	`+`
`84`	`104`	`// Validate required fields`
`85`	`105`	`if ($formData['username'] == '' \|\| $formData['name'] == '' \|\| $formData['email'] == '')`
`86`	`106`	`{`
`@@ -109,24 +129,21 @@ public function post()`
`109`	`129`	`/**`
`110`	`130`	`* Funtion to remove sensitive user info fields like password`
`111`	`131`	`*`
`112`		`- * @param Object $user The user object.`
`113`		`- * @param Array $fields Array of fields to be unset`
	`132`	`+ * @param Object &$user The user object.`
`114`	`133`	`*`
`115`	`134`	`* @return object\|void $user`
`116`	`135`	`*`
`117`	`136`	`* @since 2.0.1`
`118`	`137`	`*/`
`119`		`- protected function sanitizeUserFields($user, $fields = array('password', 'password_clear', 'otpKey', 'otep'))`
	`138`	`+ protected function sanitizeUserFields(&$user)`
`120`	`139`	`{`
`121`		`- foreach ($fields as $f)`
	`140`	`+ foreach ($this->fieldsToSanitize as $f)`
`122`	`141`	`{`
`123`	`142`	`if (isset($user->{$f}))`
`124`	`143`	`{`
`125`	`144`	`unset($user->{$f});`
`126`	`145`	`}`
`127`	`146`	`}`
`128`		`-`
`129`		`- return $user;`
`130`	`147`	`}`
`131`	`148`
`132`	`149`	`/**`
`@@ -167,7 +184,7 @@ public function get()`
`167`	`184`	`}`
`168`	`185`	`}`
`169`	`186`
`170`		`- $user = $this->sanitizeUserFields($user);`
	`187`	`+ $this->sanitizeUserFields($user);`
`171`	`188`
`172`	`189`	`$this->plugin->setResponse($user);`
`173`	`190`	`}`
`@@ -328,7 +345,7 @@ private function retriveUser($userIdentifier)`
`328`	`345`
`329`	`346`	`// Flag to differentiate the column value`
`330`	`347`	`$app = JFactory::getApplication();`
`331`		`- $xIdentifier = $app->input->server->get('HTTP_X_IDENTIFIER', '', 'string');`
	`348`	`+ $xIdentifier = $app->input->server->get('HTTP_X_IDENTIFIER', '', 'WORD');`
`332`	`349`
`333`	`350`	`switch ($xIdentifier)`
`334`	`351`	`{`