diff --git a/app/Observers/UserObserver.php b/app/Observers/UserObserver.php index 257d4e844b..5c565768d3 100644 --- a/app/Observers/UserObserver.php +++ b/app/Observers/UserObserver.php @@ -17,47 +17,78 @@ class UserObserver public function updating(User $user) { + // ONLY allow these fields to be stored + $allowed_fields = [ + 'email', + 'activated', + 'first_name', + 'last_name', + 'website', + 'country', + 'gravatar', + 'location_id', + 'phone', + 'jobtitle', + 'manager_id', + 'employee_num', + 'username', + 'notes', + 'company_id', + 'ldap_import', + 'locale', + 'two_factor_enrolled', + 'two_factor_optin', + 'department_id', + 'address', + 'address2', + 'city', + 'state', + 'zip', + 'remote', + 'start_date', + 'end_date', + 'autoassign_licenses', + 'vip', + 'password' + ]; + $changed = []; + foreach ($user->getRawOriginal() as $key => $value) { - if ($user->getRawOriginal()[$key] != $user->getAttributes()[$key]) { + // Make sure the info is in the allow fields array + if (in_array($key, $allowed_fields)) { - $changed[$key]['old'] = $user->getRawOriginal()[$key]; - $changed[$key]['new'] = $user->getAttributes()[$key]; + // Check and see if the value changed + if ($user->getRawOriginal()[$key] != $user->getAttributes()[$key]) { - // Do not store the hashed password in changes - if ($key == 'password') { - $changed['password']['old'] = '*************'; - $changed['password']['new'] = '*************'; - } + $changed[$key]['old'] = $user->getRawOriginal()[$key]; + $changed[$key]['new'] = $user->getAttributes()[$key]; - // Do not store last login in changes - if ($key == 'last_login') { - unset($changed['last_login']); - unset($changed['last_login']); - } + // Do not store the hashed password in changes + if ($key == 'password') { + $changed['password']['old'] = '*************'; + $changed['password']['new'] = '*************'; + } - if ($key == 'permissions') { - unset($changed['permissions']); - unset($changed['permissions']); - } - - if ($key == 'remember_token') { - unset($changed['remember_token']); - unset($changed['remember_token']); } } + } - $logAction = new Actionlog(); - $logAction->item_type = User::class; - $logAction->item_id = $user->id; - $logAction->target_type = User::class; // can we instead say $logAction->item = $asset ? - $logAction->target_id = $user->id; - $logAction->created_at = date('Y-m-d H:i:s'); - $logAction->user_id = Auth::id(); - $logAction->log_meta = json_encode($changed); - $logAction->logaction('update'); + if (count($changed) > 0) { + $logAction = new Actionlog(); + $logAction->item_type = User::class; + $logAction->item_id = $user->id; + $logAction->target_type = User::class; // can we instead say $logAction->item = $asset ? + $logAction->target_id = $user->id; + $logAction->created_at = date('Y-m-d H:i:s'); + $logAction->user_id = Auth::id(); + $logAction->log_meta = json_encode($changed); + $logAction->logaction('update'); + } + + } /**