From 84de1bf91227cd250ec848addbef761d56e0f4e3 Mon Sep 17 00:00:00 2001
From: HadleySo <71105018+HadleySo@users.noreply.github.com>
Date: Wed, 18 Mar 2026 22:53:31 -0500
Subject: [PATCH] prevent elevate privileges with JWT claims

---
 application/models/User_model.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/application/models/User_model.php b/application/models/User_model.php
index 305276b15..6fa727ef7 100644
--- a/application/models/User_model.php
+++ b/application/models/User_model.php
@@ -765,6 +765,10 @@ class User_Model extends CI_Model {
 
 	// FUNCTION: update specific user fields from SSO claims (bypass privilege check, used during login flow)
 	function update_sso_claims(int $user_id, array $fields): void {
+		// Cannot modify the following
+		$blocked = ['user_type', 'user_password', 'clubstation', 'external_account', 'login_attempts', 'created_at', 'modified_at', 'last_modified', 'last_seen', 'reset_password_date', 'reset_password_code'];
+		$fields = array_diff_key($fields, array_flip($blocked));
+
 		$this->db->where('user_id', $user_id);
 		$this->db->update('users', $fields);
 	}