mirror of
https://github.com/Dispatcharr/Dispatcharr.git
synced 2026-07-17 16:50:53 +00:00
security: Do not allow user to give themselves admin or super_user privileges.
This commit is contained in:
parent
1a9d2e2777
commit
d5aaa0277c
1 changed files with 7 additions and 0 deletions
|
|
@ -285,6 +285,13 @@ class UserViewSet(viewsets.ModelViewSet):
|
|||
def me(self, request):
|
||||
user = request.user
|
||||
if request.method == "PATCH":
|
||||
ALLOWED_FIELDS = {"custom_properties", "first_name", "last_name", "email", "password"}
|
||||
disallowed = set(request.data.keys()) - ALLOWED_FIELDS
|
||||
if disallowed:
|
||||
return Response(
|
||||
{"detail": f"Fields not allowed for self-update: {', '.join(disallowed)}"},
|
||||
status=400,
|
||||
)
|
||||
serializer = UserSerializer(user, data=request.data, partial=True)
|
||||
serializer.is_valid(raise_exception=True)
|
||||
serializer.save()
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue