Added allow list - quiet the observer down for magical laravel things

Signed-off-by: snipe <snipe@snipe.net>

app/Observers/UserObserver.php

@@ -17,47 +17,78 @@ class UserObserver
     public function updating(User $user)
     {
 
+        // ONLY allow these fields to be stored
+        $allowed_fields = [
+            'email',
+            'activated',
+            'first_name',
+            'last_name',
+            'website',
+            'country',
+            'gravatar',
+            'location_id',
+            'phone',
+            'jobtitle',
+            'manager_id',
+            'employee_num',
+            'username',
+            'notes',
+            'company_id',
+            'ldap_import',
+            'locale',
+            'two_factor_enrolled',
+            'two_factor_optin',
+            'department_id',
+            'address',
+            'address2',
+            'city',
+            'state',
+            'zip',
+            'remote',
+            'start_date',
+            'end_date',
+            'autoassign_licenses',
+            'vip',
+            'password'
+        ];
+        
         $changed = [];
+
         foreach ($user->getRawOriginal() as $key => $value) {
 
-            if ($user->getRawOriginal()[$key] != $user->getAttributes()[$key]) {
+            // Make sure the info is in the allow fields array
+            if (in_array($key, $allowed_fields)) {
 
-                $changed[$key]['old'] = $user->getRawOriginal()[$key];
-                $changed[$key]['new'] = $user->getAttributes()[$key];
+                // Check and see if the value changed
+                if ($user->getRawOriginal()[$key] != $user->getAttributes()[$key]) {
 
-                // Do not store the hashed password in changes
-                if ($key == 'password') {
-                    $changed['password']['old'] = '*************';
-                    $changed['password']['new'] = '*************';
-                }
+                    $changed[$key]['old'] = $user->getRawOriginal()[$key];
+                    $changed[$key]['new'] = $user->getAttributes()[$key];
 
-                // Do not store last login in changes
-                if ($key == 'last_login') {
-                    unset($changed['last_login']);
-                    unset($changed['last_login']);
-                }
+                    // Do not store the hashed password in changes
+                    if ($key == 'password') {
+                        $changed['password']['old'] = '*************';
+                        $changed['password']['new'] = '*************';
+                    }
 
-                if ($key == 'permissions') {
-                    unset($changed['permissions']);
-                    unset($changed['permissions']);
-                }
-
-                if ($key == 'remember_token') {
-                    unset($changed['remember_token']);
-                    unset($changed['remember_token']);
                 }
             }
+
         }
 
-        $logAction = new Actionlog();
-        $logAction->item_type = User::class;
-        $logAction->item_id = $user->id;
-        $logAction->target_type = User::class; // can we instead say $logAction->item = $asset ?
-        $logAction->target_id = $user->id;
-        $logAction->created_at = date('Y-m-d H:i:s');
-        $logAction->user_id = Auth::id();
-        $logAction->log_meta = json_encode($changed);
-        $logAction->logaction('update');
+        if (count($changed) > 0) {
+            $logAction = new Actionlog();
+            $logAction->item_type = User::class;
+            $logAction->item_id = $user->id;
+            $logAction->target_type = User::class; // can we instead say $logAction->item = $asset ?
+            $logAction->target_id = $user->id;
+            $logAction->created_at = date('Y-m-d H:i:s');
+            $logAction->user_id = Auth::id();
+            $logAction->log_meta = json_encode($changed);
+            $logAction->logaction('update');
+        }
+
+
     }
 
     /**