From ac380e0a448c268294556b4dfb95956b42dfa18f Mon Sep 17 00:00:00 2001 From: Jared Hendrickson Date: Sun, 5 Jan 2025 10:42:47 -0700 Subject: [PATCH] fix: prevent clobbering session during model deletions in forms #630 (#632) --- .../files/usr/local/pkg/RESTAPI/Core/Form.inc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pfSense-pkg-RESTAPI/files/usr/local/pkg/RESTAPI/Core/Form.inc b/pfSense-pkg-RESTAPI/files/usr/local/pkg/RESTAPI/Core/Form.inc index fe691e89c..c80ed75ba 100644 --- a/pfSense-pkg-RESTAPI/files/usr/local/pkg/RESTAPI/Core/Form.inc +++ b/pfSense-pkg-RESTAPI/files/usr/local/pkg/RESTAPI/Core/Form.inc @@ -132,7 +132,7 @@ class Form { # Gather information about the authenticated user $client = new Auth(); - $client->username = $_SESSION['Username'] ?: DEFAULT_CLIENT_USERNAME; + $client->username = $_SESSION['Username']; # Obtain the `id` from URL parameters $this->id = is_numeric($_GET['id']) ? intval($_GET['id']) : null; @@ -403,7 +403,9 @@ class Form { } try { - (new $this->model(id: $id))->delete(); + $model_to_delete = new $this->model(id: $id); + $model_to_delete->client = $this->model->client; + $model_to_delete->delete(); $this->print_success_banner("Deleted {$this->model->verbose_name} with ID $id."); } catch (Response $resp_error) { $error_message = $resp_error->getMessage();