k

2025-09-19 20:24:32 +02:00 · 2024-12-28 17:26:35 -05:00
parent 340fab1375
commit 2ad8bdbc65
2 changed files with 3 additions and 2 deletions
--- a/backend/onyx/auth/schemas.py
+++ b/backend/onyx/auth/schemas.py
@@ -49,4 +49,6 @@ class UserCreate(schemas.BaseUserCreate):


 class UserUpdate(schemas.BaseUserUpdate):
-    role: UserRole
+    # Role updates are not allowed through the user update endpoint for security reasons
+    # Role changes should be handled through a separate, admin-only process
+    pass
--- a/backend/onyx/auth/users.py
+++ b/backend/onyx/auth/users.py
@@ -252,7 +252,6 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
                if not user.role.is_web_login() and user_create.role.is_web_login():
                    user_update = UserUpdate(
                        password=user_create.password,
-                        role=user_create.role,
                        is_verified=user_create.is_verified,
                    )
                    user = await self.update(user_update, user)