Skip to content

Commit 91d6603

Browse files
manojLondhemanojLondhe
committed
Issue techjoomla#5 fix: user.php returning user's password
1 parent 34404ef commit 91d6603

File tree

2 files changed

+32
-8
lines changed

2 files changed

+32
-8
lines changed

src/language/en-GB/en-GB.plg_api_users.ini

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,3 +18,4 @@ PLG_API_USERS_IN_POST="in post"
1818

1919
; Since v2.0.1
2020
PLG_API_USERS_ACCOUNT_UPDATED_SUCCESSFULLY_MESSAGE="Account details updated successfully"
21+
PLG_API_USERS_USER_DELETE_MESSAGE="Account details deleted successfully"

src/users/user.php

Lines changed: 31 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,29 @@ public function post()
140140
}
141141
}
142142

143+
/**
144+
* Funtion to remove sensitive user info fields like password
145+
*
146+
* @param Object $user The user object.
147+
* @param Array $fields Array of fields to be unset
148+
*
149+
* @return object|void $user
150+
*
151+
* @since 2.0.1
152+
*/
153+
protected function sanitizeUserFields($user, $fields = array('password', 'password_clear', 'otpKey', 'otep'))
154+
{
155+
foreach ($fields as $f)
156+
{
157+
if (isset($user->{$f}))
158+
{
159+
unset($user->{$f});
160+
}
161+
}
162+
163+
return $user;
164+
}
165+
143166
/**
144167
* Function get for user record.
145168
*
@@ -150,7 +173,7 @@ public function post()
150173
public function get()
151174
{
152175
$input = JFactory::getApplication()->input;
153-
$id = $input->get('id', 0, 'int');
176+
$id = $input->get('id', 0, 'string');
154177
$xIdentifier = $input->server->get('HTTP_X_IDENTIFIER', '', 'string');
155178

156179
/*
@@ -162,14 +185,12 @@ public function get()
162185
// Get user object
163186
$user = $this->retriveUser($xIdentifier, $id);
164187

165-
if (! $user->id)
188+
if (!$user->id)
166189
{
167190
ApiError::raiseError(400, JText::_('PLG_API_USERS_USER_NOT_FOUND_MESSAGE'));
168191

169192
return;
170193
}
171-
172-
$this->plugin->setResponse($user);
173194
}
174195
else
175196
{
@@ -179,9 +200,11 @@ public function get()
179200
{
180201
ApiError::raiseError(400, JText::_('JERROR_ALERTNOAUTHOR'));
181202
}
182-
183-
$this->plugin->setResponse($user);
184203
}
204+
205+
$user = $this->sanitizeUserFields($user);
206+
207+
$this->plugin->setResponse($user);
185208
}
186209

187210
/**
@@ -272,9 +295,9 @@ private function storeUser($user, $formData, $isNew = 0)
272295
*/
273296
public function delete()
274297
{
275-
$app = JFactory::getApplication();
298+
$app = JFactory::getApplication();
276299
$userIdentifier = $app->input->get('id', 0, 'string');
277-
$xIdentifier = $app->input->server->get('HTTP_X_IDENTIFIER', '', 'string');
300+
$xIdentifier = $app->input->server->get('HTTP_X_IDENTIFIER', '', 'string');
278301

279302
$loggedUser = JFactory::getUser();
280303

0 commit comments

Comments
 (0)