From 982134c077bfc090a6cbba07f4f605403a283d1a Mon Sep 17 00:00:00 2001
From: James Cole <james@firefly-iii.org>
Date: Tue, 18 Jul 2023 07:15:41 +0200
Subject: [PATCH] fix: prevent the demo user from changing the slack URL

---
 .../Controllers/PreferencesController.php     | 21 +++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/app/Http/Controllers/PreferencesController.php b/app/Http/Controllers/PreferencesController.php
index cf92b1603d..0ae9480ccf 100644
--- a/app/Http/Controllers/PreferencesController.php
+++ b/app/Http/Controllers/PreferencesController.php
@@ -133,6 +133,13 @@ class PreferencesController extends Controller
             $frontPageAccounts = $accountIds;
         }
 
+        // for the demo user, the slackUrl is automatically emptied.
+        // this isn't really secure but it means that the demo site has a semi-secret
+        // slackUrl.
+        if (auth()->user()->hasRole('demo')) {
+            $slackUrl = '';
+        }
+
         return view(
             'preferences.index',
             compact(
@@ -198,12 +205,14 @@ class PreferencesController extends Controller
 
 
         // slack URL:
-        $url = (string)$request->get('slackUrl');
-        if (str_starts_with($url, 'https://hooks.slack.com/services/')) {
-            app('preferences')->set('slack_webhook_url', $url);
-        }
-        if ('' === $url) {
-            app('preferences')->delete('slack_webhook_url');
+        if (!auth()->user()->hasRole('demo')) {
+            $url = (string)$request->get('slackUrl');
+            if (str_starts_with($url, 'https://hooks.slack.com/services/')) {
+                app('preferences')->set('slack_webhook_url', $url);
+            }
+            if ('' === $url) {
+                app('preferences')->delete('slack_webhook_url');
+            }
         }
 
         // custom fiscal year