From d0947bae4376e7af639e7fa81cbe07ca79a80faf Mon Sep 17 00:00:00 2001
From: Pinga <121483313+getpinga@users.noreply.github.com>
Date: Tue, 14 Nov 2023 14:29:56 +0200
Subject: [PATCH] Small security fix in the API

---
 cp/routes/web.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/cp/routes/web.php b/cp/routes/web.php
index 80b00d9..9bcf4f3 100644
--- a/cp/routes/web.php
+++ b/cp/routes/web.php
@@ -104,7 +104,13 @@ $app->any('/api[/{params:.*}]', function (
             return !in_array($tableName, $restrictedTables);
         },
         'authorization.columnHandler' => function ($operation, $tableName, $columnName) {
-            return !($tableName == 'registrar' && $columnName == 'pw');
+            if ($tableName == 'registrar' && $columnName == 'pw') {
+                return false;
+            }
+            if ($tableName == 'users' && $columnName == 'password') {
+                return false;
+            }
+            return true;
         },
         'sanitation.handler' => function ($operation, $tableName, $column, $value) {
             return is_string($value) ? strip_tags($value) : $value;