highperfocused/danswer
1
0
Fork 0
mirror of https://github.com/danswer-ai/danswer.git synced 2025-04-04 01:48:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ensure users cannot modify their roles on main

Browse Source 
Ensure users cannot modify their roles
This commit is contained in:
pablonyx 2024-12-31 15:59:27 -05:00 committed by GitHub
commit 240f3e4fff
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
backend/onyx/auth/schemas.py
View File

@ -49,4 +49,7 @@ class UserCreate(schemas.BaseUserCreate):
class UserUpdate(schemas.BaseUserUpdate):
role: UserRole
"""
Role updates are not allowed through the user update endpoint for security reasons
Role changes should be handled through a separate, admin-only process
"""

1
backend/onyx/auth/users.py
View File

@ -272,7 +272,6 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
if not user.role.is_web_login() and user_create.role.is_web_login():
user_update = UserUpdate(
password=user_create.password,
role=user_create.role,
is_verified=user_create.is_verified,
)
user = await self.update(user_update, user)