ST-370: Fixed error when sending unknown fields in request

2026-06-15 13:32:43 +01:00 · 2024-08-23 16:49:39 +02:00
parent 87b114a32a
commit b7c9aa6f28
2 changed files with 38 additions and 2 deletions
--- a/app/Http/Controllers/Api/V1/TimeEntryController.php
+++ b/app/Http/Controllers/Api/V1/TimeEntryController.php
@@ -275,14 +275,14 @@ class TimeEntryController extends Controller
        $this->checkAnyPermission($organization, ['time-entries:update:all', 'time-entries:update:own']);
        $canAccessAll = $this->hasPermission($organization, 'time-entries:update:all');

-        $ids = $request->input('ids');
+        $ids = $request->validated('ids');

        $timeEntries = TimeEntry::query()
            ->whereBelongsTo($organization, 'organization')
            ->whereIn('id', $ids)
            ->get();

-        $changes = $request->input('changes');
+        $changes = $request->validated('changes');

        if (isset($changes['member_id']) && ! $canAccessAll && $this->member($organization)->getKey() !== $changes['member_id']) {
            throw new AuthorizationException();
--- a/tests/Unit/Endpoint/Api/V1/TimeEntryEndpointTest.php
+++ b/tests/Unit/Endpoint/Api/V1/TimeEntryEndpointTest.php
@@ -1786,6 +1786,42 @@ class TimeEntryEndpointTest extends ApiEndpointTestAbstract
        ]);
    }

+    public function test_update_multiple_ignores_other_fields_in_changes(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission([
+            'time-entries:update:all',
+        ]);
+        $timeEntry1 = TimeEntry::factory()->forMember($data->member)->create();
+        $timeEntry2 = TimeEntry::factory()->forMember($data->member)->create();
+        $project = Project::factory()->forOrganization($data->organization)->create();
+        Passport::actingAs($data->user);
+
+        // Act
+        $response = $this->patchJson(route('api.v1.time-entries.update-multiple', [$data->organization->getKey()]), [
+            'ids' => [
+                $timeEntry1->getKey(),
+                $timeEntry2->getKey(),
+            ],
+            'changes' => [
+                'project_id' => $project->getKey(),
+                'other_field' => 'test123',
+            ],
+        ]);
+
+        // Assert
+        $response->assertValid();
+        $response->assertStatus(200);
+        $response->assertExactJson([
+            'success' => [
+                $timeEntry1->getKey(),
+                $timeEntry2->getKey(),
+            ],
+            'error' => [
+            ],
+        ]);
+    }
+
    public function test_update_multiple_can_update_project_and_sets_client_automatically(): void
    {
        // Arrange