From 4e9e71b1bbe7ea925d4f4a19a6d4594e8b3f649f Mon Sep 17 00:00:00 2001
From: Yuri Kuznetsov <yurikuzn@users.noreply.github.com>
Date: Thu, 2 May 2024 20:39:13 +0300
Subject: [PATCH] userAttribute forbid list

---
 .../Functions/EnvGroup/UserAttributeType.php    | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/application/Espo/Core/Formula/Functions/EnvGroup/UserAttributeType.php b/application/Espo/Core/Formula/Functions/EnvGroup/UserAttributeType.php
index 14906aacf6..da5f4fbb28 100644
--- a/application/Espo/Core/Formula/Functions/EnvGroup/UserAttributeType.php
+++ b/application/Espo/Core/Formula/Functions/EnvGroup/UserAttributeType.php
@@ -29,10 +29,8 @@
 
 namespace Espo\Core\Formula\Functions\EnvGroup;
 
-use Espo\Core\Formula\{
-    Functions\BaseFunction,
-    ArgumentList,
-};
+use Espo\Core\Formula\ArgumentList;
+use Espo\Core\Formula\Functions\BaseFunction;
 
 use Espo\Core\Di;
 
@@ -41,6 +39,13 @@ class UserAttributeType extends BaseFunction implements
 {
     use Di\UserSetter;
 
+    /** @var string[] */
+    private array $forbiddenAttributeList = [
+        'password',
+        'apiKey',
+        'secretKey',
+    ];
+
     public function process(ArgumentList $args)
     {
         if (count($args) < 1) {
@@ -53,6 +58,10 @@ class UserAttributeType extends BaseFunction implements
             $this->throwBadArgumentType(1, 'string');
         }
 
+        if (in_array($attribute, $this->forbiddenAttributeList)) {
+            return null;
+        }
+
         return $this->user->get($attribute);
     }
 }