Merge pull request #1224 from tripal/1220-tv3-security_issue

Security Fix for Editing Tripal Content
tripal · Aug 2, 2021 · fe1f70d · fe1f70d
2 parents a08a891 + cc10394
commit fe1f70d
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 11 deletions.
diff --git a/tripal/api/tripal.entities.api.inc b/tripal/api/tripal.entities.api.inc
@@ -1351,12 +1351,15 @@ function tripal_replace_entity_tokens($string, &$entity, $bundle_entity = NULL)
     $token = preg_replace('/[\[\]]/', '', $token);
     $elements = explode(',', $token);
     $field_name = array_shift($elements);
+
     //$field_name = str_replace(array('.','[',']'), array('__','',''), $field_name);
     if (!property_exists($entity, $field_name) or empty($entity->{$field_name})) {
       $field = field_info_field($field_name);
-      $storage = $field['storage'];
-      $attach_fields[$storage['type']]['storage'] = $storage;
-      $attach_fields[$storage['type']]['fields'][] = $field;
+      if ($field) {
+        $storage = $field['storage'];
+        $attach_fields[$storage['type']]['storage'] = $storage;
+        $attach_fields[$storage['type']]['fields'][] = $field;
+      }
     }
   }
 
@@ -1435,7 +1438,10 @@ function tripal_replace_entity_tokens($string, &$entity, $bundle_entity = NULL)
  */
 function _tripal_replace_entity_tokens_for_elements($elements, $values) {
   $term_id = array_shift($elements);
-  $value = $values[$term_id];
+  $value = '';
+  if (array_key_exists($term_id, $values)) {
+    $value = $values[$term_id];
+  }
   if (count($elements) == 0) {
     return $value;
   }

diff --git a/tripal/includes/TripalEntityUIController.inc b/tripal/includes/TripalEntityUIController.inc
@@ -712,22 +712,23 @@ function tripal_entity_form_submit($form, &$form_state) {
     }
     return;
   }
+
   if ($form_state['clicked_button']['#name'] == 'unpublish_data') {
     if (entity_access('unpublish', 'TripalEntity', $entity, $user)) {
       $form_state['redirect'] = 'bio_data/' . $entity->id . '/unpublish';
     }
     return;
   }
 
-  $username = $form_state['values']['author_name'];
-  $user = user_load_by_name($username);
-  $entity->uid = $user->uid;
+  if (!array_key_exists('#entity', $form)) {
+    $entity->uid = $user->uid;
 
-  $create_date = $form_state['values']['author_date'];
-  $entity->created = $create_date;
+    $create_date = $form_state['values']['author_date'];
+    $entity->created = $create_date;
 
-  $published = $form_state['values']['status'];
-  $entity->status = $published;
+    $published = $form_state['values']['status'];
+    $entity->status = $published;
+  }
 
   // Allow the fields to perform actions prior to submit.
   $instances = field_info_instances('TripalEntity', $entity->bundle);
@@ -739,6 +740,9 @@ function tripal_entity_form_submit($form, &$form_state) {
         if (!preg_match('/^\d+$/', $delta)) {
           continue;
         }
+        if (!array_key_exists('#field', $field_form)) {
+          continue;
+        }
         $widget_type = $instance['widget']['type'];
         if (tripal_load_include_field_class($widget_type)) {
           $field = $field_form['#field'];