Merge pull request #195 from naresh-webkul/master

jitendra-webkul · web-flow · commit 02f5016398c7 · 2021-09-16T20:56:01.000+05:30
fixed broken access control issue for account update
diff --git a/packages/Webkul/Admin/src/Http/Controllers/User/AccountController.php b/packages/Webkul/Admin/src/Http/Controllers/User/AccountController.php
@@ -46,6 +46,12 @@ public function update()
             return redirect()->back();
         }
 
+        if( isset($data['role_id']) || isset($data['view_permission']) ) {
+            session()->flash('warning', trans('admin::app.user.account.permission-denied'));
+
+            return redirect()->back();
+        }
+
         if (! $data['password']) {
             unset($data['password']);
         } else {
@@ -63,4 +69,4 @@ public function update()
 
         return redirect()->route('admin.dashboard.index');
     }
-}
+}
diff --git a/packages/Webkul/Admin/src/Resources/lang/en/app.php b/packages/Webkul/Admin/src/Resources/lang/en/app.php
@@ -716,6 +716,7 @@
                 'confirm_password'  => 'Confirm password',
                 'password-match'    => 'Current password does not match.',
                 'account-save'      => 'Account changes saved successfully.',
+                'permission-denied' => 'Permission Denied'
             ]
         ],
 
@@ -740,4 +741,4 @@
             ]
         ]
     ];
-?>
+?>
diff --git a/packages/Webkul/UI/publishable/assets/js/ui.js b/packages/Webkul/UI/publishable/assets/js/ui.js
diff --git a/packages/Webkul/UI/src/Resources/assets/js/components/datagrid/table-body.vue b/packages/Webkul/UI/src/Resources/assets/js/components/datagrid/table-body.vue
@@ -36,7 +36,7 @@
                         :key="rowIndex"
                         v-if="column.type != 'hidden'"
                         @click="redirectRow(row.redirect_url)"
-                        v-html="getRowContent(row[column.index])"
+                        v-text="getRowContent(row[column.index])"
                         :title="column.title ? row[column.index] : ''"
                         :class="[row.redirect_url ? 'cursor-pointer' : '', column.class || column.index ]"
                     ></td>
@@ -174,7 +174,7 @@
                                     type    : "success",
                                     message : response.data.message,
                                 });
-    
+
                                 EventBus.$emit('refresh_table_data', {usePrevious: true});
                             }
                         }
@@ -189,4 +189,4 @@
             }
         }
     };
-</script>
+</script>

Original file line number	Diff line number	Diff line change
`@@ -716,6 +716,7 @@`
`716`	`716`	`'confirm_password' => 'Confirm password',`
`717`	`717`	`'password-match' => 'Current password does not match.',`
`718`	`718`	`'account-save' => 'Account changes saved successfully.',`
	`719`	`+ 'permission-denied' => 'Permission Denied'`
`719`	`720`	`]`
`720`	`721`	`],`
`721`	`722`
`@@ -740,4 +741,4 @@`
`740`	`741`	`]`
`741`	`742`	`]`
`742`	`743`	`];`
`743`		`-?>`
	`744`	`+?>`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@`
`36`	`36`	`:key="rowIndex"`
`37`	`37`	`v-if="column.type != 'hidden'"`
`38`	`38`	`@click="redirectRow(row.redirect_url)"`
`39`		`- v-html="getRowContent(row[column.index])"`
	`39`	`+ v-text="getRowContent(row[column.index])"`
`40`	`40`	`:title="column.title ? row[column.index] : ''"`
`41`	`41`	`:class="[row.redirect_url ? 'cursor-pointer' : '', column.class \|\| column.index ]"`
`42`	`42`	`></td>`
`@@ -174,7 +174,7 @@`
`174`	`174`	`type : "success",`
`175`	`175`	`message : response.data.message,`
`176`	`176`	`});`
`177`		`-`
	`177`	`+`
`178`	`178`	`EventBus.$emit('refresh_table_data', {usePrevious: true});`
`179`	`179`	`}`
`180`	`180`	`}`
`@@ -189,4 +189,4 @@`
`189`	`189`	`}`
`190`	`190`	`}`
`191`	`191`	`};`
`192`		`-</script>`
	`192`	`+</script>`