annabunches
commented
4 years ago Findings so far (a bit rambly, more succinct updates when I know more):
- Only the 'admin' routes should be able to write this field. The 'standard', unprivileged routes for creating and updating a member go through the
restricted_savemethod, which doesn't allow the field to be written, see:
https://github.com/usgo/membership/blob/master/mm_app/models/member.php#L76
https://github.com/usgo/membership/blob/master/mm_app/models/member.php#L696
https://github.com/usgo/membership/blob/8af41cbd437b0558ad58b2f2b873cd780432ee49/mm_app/lib/render_forms.php#L894 - In fact, the only time
Member::saveis called directly appears to be in the mass edit code:
https://github.com/usgo/membership/blob/cd4796b75ce30ba5d1da2d4daae9058284386696/controllers/member_controller.php#L685 - However, when
Member::savedoes get called directly, it will pass in any field it receives. It massages certain fields, but does not clamp to fields that are defined / known to exist. So hypothetically if someone were to add POST data directly, we might try to write that. Seems unlikely that we have clients that are using the mass edit route in an automated fashion, (with possibly deprecated input) but I don't know the architecture of all possible "clients" well enough to be certain.
The members table has this field. It probably shouldn't. My recommendations: