diff --git a/backend/onyx/auth/schemas.py b/backend/onyx/auth/schemas.py index f2a4ef8a07a3..836d42a1489a 100644 --- a/backend/onyx/auth/schemas.py +++ b/backend/onyx/auth/schemas.py @@ -48,7 +48,17 @@ class UserCreate(schemas.BaseUserCreate): tenant_id: str | None = None +class UserUpdateWithRoleForManager(schemas.BaseUserUpdate): + """ + This schema is used internally by the UserManager class when creating or updating users + that require role updates. It allows passing the role without exposing it in all default endpoints. + """ + + role: UserRole + + class UserUpdate(schemas.BaseUserUpdate): - # Role updates are not allowed through the user update endpoint for security reasons - # Role changes should be handled through a separate, admin-only process - pass + """ + Role updates are not allowed through the user update endpoint for security reasons + Role changes should be handled through a separate, admin-only process + """ diff --git a/backend/onyx/auth/users.py b/backend/onyx/auth/users.py index 86556bfe8d11..66f1eaa5c77b 100644 --- a/backend/onyx/auth/users.py +++ b/backend/onyx/auth/users.py @@ -55,7 +55,7 @@ from onyx.auth.email_utils import send_user_verification_email from onyx.auth.invited_users import get_invited_users from onyx.auth.schemas import UserCreate from onyx.auth.schemas import UserRole -from onyx.auth.schemas import UserUpdate +from onyx.auth.schemas import UserUpdateWithRoleForManager from onyx.configs.app_configs import AUTH_TYPE from onyx.configs.app_configs import DISABLE_AUTH from onyx.configs.app_configs import EMAIL_CONFIGURED @@ -250,7 +250,7 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]): user = await self.get_by_email(user_create.email) # Handle case where user has used product outside of web and is now creating an account through web if not user.role.is_web_login() and user_create.role.is_web_login(): - user_update = UserUpdate( + user_update = UserUpdateWithRoleForManager( password=user_create.password, is_verified=user_create.is_verified, )