Cavemanon/piratepoet
7
Fork 0
Code Pull Requests Actions Releases 16 Activity

Accept only whitelisted fields in addList API

Browse Source 
[MAILPOET-2093]
This commit is contained in:
Pavel Dohnal
2019-05-27 10:44:52 +02:00
committed by M. Shull
parent 97dc68c655
commit 352a4b82e7
2 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/API/MP/v1/API.php
View File

@ -213,9 +213,7 @@ class API {
list($default_fields, $custom_fields) = Subscriber::extractCustomFieldsFromFromObject($subscriber); list($default_fields, $custom_fields) = Subscriber::extractCustomFieldsFromFromObject($subscriber);
// filter out all incoming data that we don't want to change, like status, ip address, ... // filter out all incoming data that we don't want to change, like status, ip address, ...
$default_fields = array_intersect_key($default_fields, array_flip([ $default_fields = array_intersect_key($default_fields, array_flip(['email', 'first_name', 'last_name']));
'email', 'first_name', 'last_name'
]));
// if some required default fields are missing, set their values // if some required default fields are missing, set their values
$default_fields = Subscriber::setRequiredFieldsDefaultValues($default_fields); $default_fields = Subscriber::setRequiredFieldsDefaultValues($default_fields);
@ -272,6 +270,9 @@ class API {
); );
} }
// filter out all incoming data that we don't want to change, like type,
$list = array_intersect_key($list, array_flip(['name', 'description']));
// add list // add list
$new_list = Segment::create(); $new_list = Segment::create();
$new_list->hydrate($list); $new_list->hydrate($list);

12
tests/integration/API/MP/APITest.php
View File

@ -586,6 +586,18 @@ class APITest extends \MailPoetTest {
} }
} }
function testItDoesOnlySaveWhiteListedPropertiesWhenAddingList() {
$result = $this->getApi()->addList([
'name' => 'Test segment123',
'description' => 'Description',
'type' => 'ignore this field',
]);
expect($result['id'])->greaterThan(0);
expect($result['name'])->equals('Test segment123');
expect($result['description'])->equals('Description');
expect($result['type'])->equals('default');
}
function testItDoesNotAddExistingList() { function testItDoesNotAddExistingList() {
$segment = Segment::create(); $segment = Segment::create();
$segment->name = 'Test segment'; $segment->name = 'Test segment';