Accept only whitelisted fields in addSubscriber API

[MAILPOET-2093]
2019-05-27 10:11:23 +02:00
parent 1151e7f9f3
commit 97dc68c655
2 changed files with 29 additions and 2 deletions
--- a/lib/API/MP/v1/API.php
+++ b/lib/API/MP/v1/API.php
@ -211,6 +211,12 @@ class API {

    // separate data into default and custom fields
    list($default_fields, $custom_fields) = Subscriber::extractCustomFieldsFromFromObject($subscriber);
+
+    // filter out all incoming data that we don't want to change, like status, ip address, ...
+    $default_fields = array_intersect_key($default_fields, array_flip([
+      'email', 'first_name', 'last_name'
+    ]));
+
    // if some required default fields are missing, set their values
    $default_fields = Subscriber::setRequiredFieldsDefaultValues($default_fields);