avoid override of sensitive fields

2017-03-27 22:56:56 +02:00 · 2017-03-27 22:56:56 +02:00 · 85913d2c9e
commit 85913d2c9e
parent 1eb8e9d076
1 changed files with 5 additions and 1 deletions
--- a/eventman_server.py
+++ b/eventman_server.py
@ -905,8 +905,12 @@ class UsersHandler(CollectionHandler):
                raise InputException('not authorized to change password')
            data['password'] = utils.hash_password(new_pwd)
        if '_id' in data:
-            # Avoid overriding _id
            del data['_id']
+        if 'username' in data:
+            del data['username']
+        # for the moment, prevent the ability to update permissions via web
+        if 'permissions' in data:
+            del data['permissions']
        return data

    @gen.coroutine