Ensure users cannot modify their roles on main

pablonyx · web-flow · commit 240f3e4fffd7 · 2024-12-31T15:59:27.000-05:00
Ensure users cannot modify their roles
diff --git a/backend/onyx/auth/schemas.py b/backend/onyx/auth/schemas.py
@@ -49,4 +49,7 @@ class UserCreate(schemas.BaseUserCreate):
 
 
 class UserUpdate(schemas.BaseUserUpdate):
-    role: UserRole
+    """
+    Role updates are not allowed through the user update endpoint for security reasons
+    Role changes should be handled through a separate, admin-only process
+    """
diff --git a/backend/onyx/auth/users.py b/backend/onyx/auth/users.py
@@ -272,7 +272,6 @@ async def create(
                 if not user.role.is_web_login() and user_create.role.is_web_login():
                     user_update = UserUpdate(
                         password=user_create.password,
-                        role=user_create.role,
                         is_verified=user_create.is_verified,
                     )
                     user = await self.update(user_update, user)

Original file line number	Diff line number	Diff line change
`@@ -272,7 +272,6 @@ async def create(`
`272`	`272`	`if not user.role.is_web_login() and user_create.role.is_web_login():`
`273`	`273`	`user_update = UserUpdate(`
`274`	`274`	`password=user_create.password,`
`275`		`- role=user_create.role,`
`276`	`275`	`is_verified=user_create.is_verified,`
`277`	`276`	`)`
`278`	`277`	`user = await self.update(user_update, user)`