From e7b3daa80cd40a154c476c65da59563e628a0008 Mon Sep 17 00:00:00 2001
From: Ivan Nieto Vivanco <inietov@gmail.com>
Date: Mon, 13 Mar 2023 16:10:08 -0600
Subject: [PATCH] Adjust validator to only receive valid groups id's

---
 app/Http/Controllers/Api/UsersController.php | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/app/Http/Controllers/Api/UsersController.php b/app/Http/Controllers/Api/UsersController.php
index 623815ff48..818472199f 100644
--- a/app/Http/Controllers/Api/UsersController.php
+++ b/app/Http/Controllers/Api/UsersController.php
@@ -453,11 +453,14 @@ class UsersController extends Controller
 
             // Check if the request has groups passed and has a value
             if ($request->filled('groups')) {
-                $validator = Validator::make($request->input('groups'), [
-                    'groups' => 'array',
-                    'groups.*' => 'integer',
+                $validator = Validator::make($request->all(), [
+                    'groups' => 'integer|exists:permission_groups,id',
+                    'groups.*' => 'integer|exists:permission_groups,id',
                 ]);
-
+                
+                if ($validator->fails()){
+                    return response()->json(Helper::formatStandardApiResponse('error', null, $user->getErrors()));
+                }
                 $user->groups()->sync($request->input('groups'));
             // The groups field has been passed but it is null, so we should blank it out
             } elseif ($request->has('groups')) {