alberanid/eventman
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

avoid override of sensitive fields

Browse source
This commit is contained in:
Davide Alberani 2017-03-27 22:56:56 +02:00
parent 1eb8e9d076
commit 85913d2c9e
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
eventman_server.py
View file

@ -905,8 +905,12 @@ class UsersHandler(CollectionHandler):
raise InputException('not authorized to change password') raise InputException('not authorized to change password')
data['password'] = utils.hash_password(new_pwd) data['password'] = utils.hash_password(new_pwd)
if '_id' in data: if '_id' in data:
# Avoid overriding _id
del data['_id'] del data['_id']
if 'username' in data:
del data['username']
# for the moment, prevent the ability to update permissions via web
if 'permissions' in data:
del data['permissions']
return data return data
@gen.coroutine @gen.coroutine