Added allow list - quiet the observer down for magical laravel things

Signed-off-by: snipe <snipe@snipe.net>
2025-01-23 11:43:47 -08:00 · 2023-11-22 22:35:34 +00:00 · 2023-11-22 22:35:34 +00:00 · f922d0518e
parent 45d9119733
commit f922d0518e
1 changed files with 61 additions and 30 deletions
--- a/app/Observers/UserObserver.php
+++ b/app/Observers/UserObserver.php
@ -17,9 +17,49 @@ class UserObserver
    public function updating(User $user)
    {

+        // ONLY allow these fields to be stored
+        $allowed_fields = [
+            'email',
+            'activated',
+            'first_name',
+            'last_name',
+            'website',
+            'country',
+            'gravatar',
+            'location_id',
+            'phone',
+            'jobtitle',
+            'manager_id',
+            'employee_num',
+            'username',
+            'notes',
+            'company_id',
+            'ldap_import',
+            'locale',
+            'two_factor_enrolled',
+            'two_factor_optin',
+            'department_id',
+            'address',
+            'address2',
+            'city',
+            'state',
+            'zip',
+            'remote',
+            'start_date',
+            'end_date',
+            'autoassign_licenses',
+            'vip',
+            'password'
+        ];
+        
        $changed = [];
+
        foreach ($user->getRawOriginal() as $key => $value) {

+            // Make sure the info is in the allow fields array
+            if (in_array($key, $allowed_fields)) {
+
+                // Check and see if the value changed
                if ($user->getRawOriginal()[$key] != $user->getAttributes()[$key]) {

                    $changed[$key]['old'] = $user->getRawOriginal()[$key];
@ -31,24 +71,12 @@ class UserObserver
                        $changed['password']['new'] = '*************';
                    }

-                // Do not store last login in changes
-                if ($key == 'last_login') {
-                    unset($changed['last_login']);
-                    unset($changed['last_login']);
-                }
-
-                if ($key == 'permissions') {
-                    unset($changed['permissions']);
-                    unset($changed['permissions']);
-                }
-
-                if ($key == 'remember_token') {
-                    unset($changed['remember_token']);
-                    unset($changed['remember_token']);
-                }
                }
            }

+        }
+
+        if (count($changed) > 0) {
            $logAction = new Actionlog();
            $logAction->item_type = User::class;
            $logAction->item_id = $user->id;
@ -60,6 +88,9 @@ class UserObserver
            $logAction->logaction('update');
        }

+
+    }
+
    /**
     * Listen to the User created event, and increment
     * the next_auto_tag_base value in the settings table when i