Accept only whitelisted fields in addSubscriber API

[MAILPOET-2093]
2019-05-27 10:11:23 +02:00
parent 1151e7f9f3
commit 97dc68c655
2 changed files with 29 additions and 2 deletions
--- a/lib/API/MP/v1/API.php
+++ b/lib/API/MP/v1/API.php
@ -211,6 +211,12 @@ class API {

    // separate data into default and custom fields
    list($default_fields, $custom_fields) = Subscriber::extractCustomFieldsFromFromObject($subscriber);
+
+    // filter out all incoming data that we don't want to change, like status, ip address, ...
+    $default_fields = array_intersect_key($default_fields, array_flip([
+      'email', 'first_name', 'last_name'
+    ]));
+
    // if some required default fields are missing, set their values
    $default_fields = Subscriber::setRequiredFieldsDefaultValues($default_fields);

--- a/tests/integration/API/MP/APITest.php
+++ b/tests/integration/API/MP/APITest.php
@ -11,6 +11,7 @@ use MailPoet\Models\ScheduledTask;
 use MailPoet\Models\Segment;
 use MailPoet\Models\SendingQueue;
 use MailPoet\Models\Subscriber;
+use MailPoet\Settings\SettingsController;
 use MailPoet\Subscribers\ConfirmationEmailMailer;
 use MailPoet\Subscribers\NewSubscriberNotificationMailer;
 use MailPoet\Subscribers\RequiredCustomFieldValidator;
@ -348,6 +349,19 @@ class APITest extends \MailPoetTest {
    }
  }

+
+  function testItOnlyAcceptsWhitelistedProperties() {
+    $subscriber = [
+      'email' => 'test-ignore-status@example.com',
+      'first_name' => '',
+      'last_name' => '',
+      'status' => 'bounced',
+    ];
+
+    $result = $this->getApi()->addSubscriber($subscriber);
+    expect($result['status'])->equals('unconfirmed');
+  }
+
  function testItDoesNotAddExistingSubscriber() {
    $subscriber = Subscriber::create();
    $subscriber->hydrate(Fixtures::get('subscriber_template'));
@ -425,6 +439,8 @@ class APITest extends \MailPoetTest {
  }

  function testItSchedulesWelcomeNotificationByDefaultAfterAddingSubscriber() {
+    $settings = new SettingsController();
+    $settings->set('signup_confirmation.enabled', false);
    $API = Stub::makeEmptyExcept(
      \MailPoet\API\MP\v1\API::class,
      'addSubscriber',
@ -435,13 +451,14 @@ class APITest extends \MailPoetTest {
      ], $this);
    $subscriber = [
      'email' => 'test@example.com',
-      'status' => Subscriber::STATUS_SUBSCRIBED,
    ];
    $segments = [1];
    $API->addSubscriber($subscriber, $segments);
  }

  function testItThrowsIfWelcomeEmailFails() {
+    $settings = new SettingsController();
+    $settings->set('signup_confirmation.enabled', false);
    $task = ScheduledTask::create();
    $task->type = 'sending';
    $task->setError("Big Error");
@ -458,7 +475,6 @@ class APITest extends \MailPoetTest {
    $API = $this->getApi();
    $subscriber = [
      'email' => 'test@example.com',
-      'status' => Subscriber::STATUS_SUBSCRIBED,
    ];
    $segments = [$segment->id()];
    $this->setExpectedException('\Exception');
@ -752,6 +768,11 @@ class APITest extends \MailPoetTest {
    }
  }

+  function _before() {
+    $settings = new SettingsController();
+    $settings->set('signup_confirmation.enabled', true);
+  }
+
  function _after() {
    Mock::clean();
    \ORM::raw_execute('TRUNCATE ' . Subscriber::$_table);