add additional validation logic to Update API methods to ensure model ID matches ID parameter

2023-11-22 14:47:28 -05:00
parent fc186f1718
commit 14d36ef8dc
17 changed files with 17 additions and 17 deletions
--- a/Oqtane.Server/Controllers/SettingController.cs
+++ b/Oqtane.Server/Controllers/SettingController.cs
@ -128,7 +128,7 @@ namespace Oqtane.Controllers
        [HttpPut("{id}")]
        public Setting Put(int id, [FromBody] Setting setting)
        {
-            if (ModelState.IsValid && IsAuthorized(setting.EntityName, setting.EntityId, PermissionNames.Edit))
+            if (ModelState.IsValid && setting.SettingId == id && IsAuthorized(setting.EntityName, setting.EntityId, PermissionNames.Edit))
            {
                setting = _settings.UpdateSetting(setting);
                AddSyncEvent(setting.EntityName, setting.SettingId, SyncEventActions.Update);