Preserve retention metadata for non-admins

sanjacornelius · sanjacornelius · commit 0dcaa1db5d5a · 2026-03-31T11:50:18.000-07:00
Replace inline unsets with restoreProcessRetentionPropertiesFromOriginal. For non-administrator updates, reapply retention-related keys (retention_updated_by, retention_updated_at, retention_period) from the original model snapshot—decoding string-encoded properties if needed—and restore or remove keys to match the original state. This prevents non-admins from adding or modifying retention metadata and handles different properties formats robustly.
diff --git a/ProcessMaker/Http/Controllers/Api/ProcessController.php b/ProcessMaker/Http/Controllers/Api/ProcessController.php
@@ -601,11 +601,9 @@ public function update(Request $request, Process $process)
             }
         }
 
-        // Prevent non-administrators from updating the retention period
+        // Non-administrators cannot change retention metadata: persist pre-request values.
         if (!auth()->user()->is_administrator) {
-            unset($process->properties['retention_updated_by']);
-            unset($process->properties['retention_updated_at']);
-            unset($process->properties['retention_period']);
+            $this->restoreProcessRetentionPropertiesFromOriginal($process, $original);
         }
 
         // Catch errors to send more specific status
@@ -677,6 +675,40 @@ private function validateMaxManagers(Request $request)
         return $managerIds;
     }
 
+    /**
+     * Re-apply retention-related keys on $process->properties from the model snapshot taken before fill().
+     * Non-admins cannot add these keys if absent originally, or change values if present.
+     *
+     * @param  array<string, mixed>  $original
+     */
+    private function restoreProcessRetentionPropertiesFromOriginal(Process $process, array $original): void
+    {
+        $originalProperties = $original['properties'] ?? null;
+        if (is_string($originalProperties)) {
+            $decoded = json_decode($originalProperties, true);
+            $originalProperties = is_array($decoded) ? $decoded : [];
+        }
+        if (!is_array($originalProperties)) {
+            $originalProperties = [];
+        }
+
+        $properties = $process->properties;
+        if (!is_array($properties)) {
+            $properties = [];
+        }
+
+        $keys = ['retention_updated_by', 'retention_updated_at', 'retention_period'];
+        foreach ($keys as $key) {
+            if (array_key_exists($key, $originalProperties)) {
+                $properties[$key] = $originalProperties[$key];
+            } else {
+                unset($properties[$key]);
+            }
+        }
+
+        $process->properties = $properties;
+    }
+
     /**
      * Validate the structure of stages.
      *
