minor change

backend/onyx/auth/schemas.py

@@ -48,7 +48,17 @@ class UserCreate(schemas.BaseUserCreate):
     tenant_id: str | None = None
 
 
+class UserUpdateWithRoleForManager(schemas.BaseUserUpdate):
+    """
+    This schema is used internally by the UserManager class when creating or updating users
+    that require role updates. It allows passing the role without exposing it in all default endpoints.
+    """
+
+    role: UserRole
+
+
 class UserUpdate(schemas.BaseUserUpdate):
-    # Role updates are not allowed through the user update endpoint for security reasons
-    # Role changes should be handled through a separate, admin-only process
-    pass
+    """
+    Role updates are not allowed through the user update endpoint for security reasons
+    Role changes should be handled through a separate, admin-only process
+    """

backend/onyx/auth/users.py

@@ -55,7 +55,7 @@ from onyx.auth.email_utils import send_user_verification_email
 from onyx.auth.invited_users import get_invited_users
 from onyx.auth.schemas import UserCreate
 from onyx.auth.schemas import UserRole
-from onyx.auth.schemas import UserUpdate
+from onyx.auth.schemas import UserUpdateWithRoleForManager
 from onyx.configs.app_configs import AUTH_TYPE
 from onyx.configs.app_configs import DISABLE_AUTH
 from onyx.configs.app_configs import EMAIL_CONFIGURED
@@ -250,7 +250,7 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
                 user = await self.get_by_email(user_create.email)
                 # Handle case where user has used product outside of web and is now creating an account through web
                 if not user.role.is_web_login() and user_create.role.is_web_login():
-                    user_update = UserUpdate(
+                    user_update = UserUpdateWithRoleForManager(
                         password=user_create.password,
                         is_verified=user_create.is_verified,
                     )