From 33cc6d32bd8d0799f44b1aa9dc51dee76d7fa017 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Wed, 2 Nov 2022 10:48:21 +0900
Subject: [PATCH] fix: set only validated fields to Entity

All user input should be validated.
---
 src/Controllers/RegisterController.php | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/Controllers/RegisterController.php b/src/Controllers/RegisterController.php
index 5bda0fff7..d564a030c 100644
--- a/src/Controllers/RegisterController.php
+++ b/src/Controllers/RegisterController.php
@@ -76,12 +76,8 @@ public function registerAction(): RedirectResponse
         }
 
         // Save the user
-        $allowedPostFields = array_merge(
-            setting('Auth.validFields'),
-            setting('Auth.personalFields'),
-            array_keys($rules),
-        );
-        $user = $this->getUserEntity();
+        $allowedPostFields = array_keys($rules);
+        $user              = $this->getUserEntity();
         $user->fill($this->request->getPost($allowedPostFields));
 
         // Workaround for email only registration/login