Describe the bug
updateForm in PATCH .../forms/{formId} applies updates with a dynamic setter loop in:
foreach ($keyValuePairs as $key => $value) {
$method = 'set' . ucfirst($key);
$form->$method($value);
}That loop will call any matching setter on the Form entity. accessEnum is the raw integer column that access wraps, and it's only meant to be written through setAccess(), which normalises the boolean access payload and runs the config checks in checkAccessUpdate(). Passing accessEnum straight to the loop hits setAccessEnum() and skips all of that.
checkForbiddenKeys() already blocks the other internal columns, but its list doesn't include accessEnum:
$forbiddenKeys = [
'id', 'hash', 'ownerId', 'created', 'lastUpdated', 'lockedBy', 'lockedUntil'
];Expected behaviour
Clients should set form access through the access key only. accessEnum is an internal column and shouldn't be writable from the update payload.
Fix
Add accessEnum to the forbiddenKeys list in checkForbiddenKeys() so the loop rejects it.
Describe the bug
updateForminPATCH .../forms/{formId}applies updates with a dynamic setter loop in:That loop will call any matching setter on the
Formentity.accessEnumis the raw integer column thataccesswraps, and it's only meant to be written throughsetAccess(), which normalises the booleanaccesspayload and runs the config checks incheckAccessUpdate(). PassingaccessEnumstraight to the loop hitssetAccessEnum()and skips all of that.checkForbiddenKeys()already blocks the other internal columns, but its list doesn't includeaccessEnum:Expected behaviour
Clients should set form access through the
accesskey only.accessEnumis an internal column and shouldn't be writable from the update payload.Fix
Add
accessEnumto theforbiddenKeyslist incheckForbiddenKeys()so the loop rejects it.