From 09a2977adb8bc4b1db116c725d661160c930d3a1 Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Mon, 17 Oct 2022 12:11:14 -0500
Subject: [PATCH] Fix authentication mass assignment vulnerability (#14468)

Users were able to submit changes to fields they should not have access to change by bypassing the frontend validation.  Correct backend validation to prevent that.
---
 app/Http/Controllers/UserController.php |  2 +-
 app/Http/Requests/UpdateUserRequest.php | 15 ++++++++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
index 5d15a0b300e5..427d9bfe0b5a 100644
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -180,7 +180,7 @@ public function update(UpdateUserRequest $request, User $user, FlasherInterface
             }
         }
 
-        $user->fill($request->all());
+        $user->fill($request->validated());
 
         if ($request->has('dashboard') && $this->updateDashboard($user, $request->get('dashboard'))) {
             $flasher->addSuccess(__('Updated dashboard for :username', ['username' => $user->username]));
diff --git a/app/Http/Requests/UpdateUserRequest.php b/app/Http/Requests/UpdateUserRequest.php
index 72726c515322..b33c00d8a622 100644
--- a/app/Http/Requests/UpdateUserRequest.php
+++ b/app/Http/Requests/UpdateUserRequest.php
@@ -37,11 +37,24 @@ public function authorize()
      */
     public function rules()
     {
+        if ($this->user()->isAdmin()) {
+            return [
+                'realname' => 'nullable|max:64|alpha_space',
+                'email' => 'nullable|email|max:64',
+                'descr' => 'nullable|max:30|alpha_space',
+                'new_password' => 'nullable|confirmed|min:' . Config::get('password.min_length', 8),
+                'new_password_confirmation' => 'nullable|same:new_password',
+                'dashboard' => 'int',
+                'level' => 'int',
+                'enabled' => 'nullable',
+                'can_modify_passwd' => 'nullable',
+            ];
+        }
+
         return [
             'realname' => 'nullable|max:64|alpha_space',
             'email' => 'nullable|email|max:64',
             'descr' => 'nullable|max:30|alpha_space',
-            'level' => 'int',
             'old_password' => 'nullable|string',
             'new_password' => 'nullable|confirmed|min:' . Config::get('password.min_length', 8),
             'new_password_confirmation' => 'nullable|same:new_password',