Ensure users cannot modify their roles on main

Ensure users cannot modify their roles
onyx-dot-app · Dec 31, 2024 · 240f3e4 · 240f3e4
2 parents 1291b3d + 97a03e7
commit 240f3e4
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/backend/onyx/auth/schemas.py b/backend/onyx/auth/schemas.py
@@ -49,4 +49,7 @@ class UserCreate(schemas.BaseUserCreate):
 
 
 class UserUpdate(schemas.BaseUserUpdate):
-    role: UserRole
+    """
+    Role updates are not allowed through the user update endpoint for security reasons
+    Role changes should be handled through a separate, admin-only process
+    """
diff --git a/backend/onyx/auth/users.py b/backend/onyx/auth/users.py
@@ -272,7 +272,6 @@ async def create(
                 if not user.role.is_web_login() and user_create.role.is_web_login():
                     user_update = UserUpdate(
                         password=user_create.password,
-                        role=user_create.role,
                         is_verified=user_create.is_verified,
                     )
                     user = await self.update(user_update, user)