From d5aaa0277c4e1e4b42d77f73e0ec5173d2677309 Mon Sep 17 00:00:00 2001 From: SergeantPanda Date: Sun, 8 Mar 2026 16:08:42 -0500 Subject: [PATCH] security: Do not allow user to give themselves admin or super_user privileges. --- apps/accounts/api_views.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apps/accounts/api_views.py b/apps/accounts/api_views.py index 66d0fc75..76892929 100644 --- a/apps/accounts/api_views.py +++ b/apps/accounts/api_views.py @@ -285,6 +285,13 @@ class UserViewSet(viewsets.ModelViewSet): def me(self, request): user = request.user if request.method == "PATCH": + ALLOWED_FIELDS = {"custom_properties", "first_name", "last_name", "email", "password"} + disallowed = set(request.data.keys()) - ALLOWED_FIELDS + if disallowed: + return Response( + {"detail": f"Fields not allowed for self-update: {', '.join(disallowed)}"}, + status=400, + ) serializer = UserSerializer(user, data=request.data, partial=True) serializer.is_valid(raise_exception=True) serializer.save()