security: Do not allow user to give themselves admin or super_user privileges.

This commit is contained in:
SergeantPanda 2026-03-08 16:08:42 -05:00
parent 1a9d2e2777
commit d5aaa0277c

View file

@ -285,6 +285,13 @@ class UserViewSet(viewsets.ModelViewSet):
def me(self, request):
user = request.user
if request.method == "PATCH":
ALLOWED_FIELDS = {"custom_properties", "first_name", "last_name", "email", "password"}
disallowed = set(request.data.keys()) - ALLOWED_FIELDS
if disallowed:
return Response(
{"detail": f"Fields not allowed for self-update: {', '.join(disallowed)}"},
status=400,
)
serializer = UserSerializer(user, data=request.data, partial=True)
serializer.is_valid(raise_exception=True)
serializer.save()