[M-26] suspension_reason not in PROTECTED_UPDATE_KEYS

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 1 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Models/User.php:92-96

Bug: Future form that includes suspension_reason in $data could bypass the opt-in model.

Fix: Add suspension_reason to the list.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:54pm

Resolved.

Added 'suspension_reason' to User::PROTECTED_UPDATE_KEYS (src/Models/User.php). A future form handler that included suspension_reason in the $data array would now hit the opt-in guard instead of silently writing. Existing User::update(..., true) callers are unaffected — they already pass the $allowProtected flag.

Locking this thread.

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy