From 9e5ad7eea7060c9db870e72f2057edf7d7557453 Mon Sep 17 00:00:00 2001
From: Mostafa Reda <31967263+hrr2000@users.noreply.github.com>
Date: Wed, 15 Feb 2023 01:32:52 +0000
Subject: [PATCH] Security: prevent updating email_verified_at field by the
 user role

---
 app/Http/Controllers/UserController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
index 9f07353..37ffbca 100644
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -99,7 +99,6 @@ public function update(Request $request, User $user) {
         $user->name = $request->name ?? $user->name;
         $user->email = $request->email ?? $user->email;
         $user->password = $request->password ? Hash::make($request->password) : $user->password;
-        $user->email_verified_at = $request->email_verified_at ?? $user->email_verified_at;
 
         //check if the logged in user is updating it's own record
 
@@ -107,6 +106,7 @@ public function update(Request $request, User $user) {
         if ($loggedInUser->id == $user->id) {
             $user->update();
         } elseif ($loggedInUser->tokenCan('admin') || $loggedInUser->tokenCan('super-admin')) {
+            $user->email_verified_at = $request->email_verified_at ?? $user->email_verified_at;
             $user->update();
         } else {
             throw new MissingAbilityException('Not Authorized');