Merge pull request #3889 from Nixxx19/fix/mass-assignment-vulnerability-3876

fix: prevent mass-assignment of user field in createProject and apiCreateProject #3876

Author: raclim

server/controllers/project.controller/createProject.js

@@ -6,11 +6,7 @@ import {
 } from '../../domain-objects/Project';
 
 export default function createProject(req, res) {
-  let projectValues = {
-    user: req.user._id
-  };
-
-  projectValues = Object.assign(projectValues, req.body);
+  const projectValues = Object.assign({}, req.body, { user: req.user._id });
 
   function sendFailure(err) {
     res.status(400).json({ success: false });
@@ -32,7 +28,7 @@ export default function createProject(req, res) {
 
 // TODO: What happens if you don't supply any files?
 export async function apiCreateProject(req, res) {
-  const params = Object.assign({ user: req.user._id }, req.body);
+  const params = Object.assign({}, req.body, { user: req.user._id });
 
   const sendValidationErrors = (err, type, code = 422) => {
     res.status(code).json({