Bump version

Fix leak of private information when updating users
2025-08-13 20:04:24 +02:00 · 2018-11-09 21:22:11 +10:30 · 2018-11-09 21:21:21 +10:30
2 changed files with 8 additions and 2 deletions
--- a/src/Api/Controller/UpdateUserController.php
+++ b/src/Api/Controller/UpdateUserController.php
@@ -11,6 +11,8 @@

 namespace Flarum\Api\Controller;

+use Flarum\Api\Serializer\CurrentUserSerializer;
+use Flarum\Api\Serializer\UserSerializer;
 use Flarum\Core\Command\EditUser;
 use Flarum\Core\Exception\PermissionDeniedException;
 use Illuminate\Contracts\Bus\Dispatcher;
@@ -22,7 +24,7 @@ class UpdateUserController extends AbstractResourceController
    /**
     * {@inheritdoc}
     */
-    public $serializer = 'Flarum\Api\Serializer\CurrentUserSerializer';
+    public $serializer = UserSerializer::class;

    /**
     * {@inheritdoc}
@@ -51,6 +53,10 @@ class UpdateUserController extends AbstractResourceController
        $actor = $request->getAttribute('actor');
        $data = array_get($request->getParsedBody(), 'data', []);

+        if ($actor->id == $id) {
+            $this->serializer = CurrentUserSerializer::class;
+        }
+
        // Require the user's current password if they are attempting to change
        // their own email address.
        if (isset($data['attributes']['email']) && $actor->id == $id) {
--- a/src/Foundation/Application.php
+++ b/src/Foundation/Application.php
@@ -25,7 +25,7 @@ class Application extends Container implements ApplicationContract
     *
     * @var string
     */
-    const VERSION = '0.1.0-beta.7';
+    const VERSION = '0.1.0-beta.7.2';

    /**
     * The base path for the Flarum installation.
Author	SHA1	Message	Date
Toby Zerner	5bcf72dd49	Bump version	2018-11-09 21:22:11 +10:30
Toby Zerner	0536b208e1	Fix leak of private information when updating users	2018-11-09 21:21:21 +10:30