fixes

2026-01-27 00:28:31 +01:00 · 2026-01-27 00:28:31 +01:00 · 4c91bd7607
commit 4c91bd7607
parent ee15fd64b0
1 changed files with 18 additions and 2 deletions
--- a/modules/interfaces/interfaceDbApp.py
+++ b/modules/interfaces/interfaceDbApp.py
@ -742,8 +742,16 @@ class AppObjects:
            logger.error(f"Unexpected error creating user: {str(e)}")
            raise ValueError(f"Failed to create user: {str(e)}")

-    def updateUser(self, userId: str, updateData: Union[Dict[str, Any], User]) -> User:
-        """Update a user's information"""
+    def updateUser(self, userId: str, updateData: Union[Dict[str, Any], User], allowSysAdminChange: bool = False) -> User:
+        """Update a user's information.
+        
+        Args:
+            userId: ID of the user to update
+            updateData: User data to update (dict or User model)
+            allowSysAdminChange: If True, allows changing isSysAdmin field.
+                                 Only set to True when called by a SysAdmin explicitly
+                                 changing another user's admin status.
+        """
        try:
            # Get user
            user = self.getUser(userId)
@ -758,6 +766,14 @@ class AppObjects:

            # Remove id field from updateDict if present - we'll use userId from parameter
            updateDict.pop("id", None)
+            
+            # SECURITY: Protect sensitive fields from being overwritten by profile updates.
+            # These fields should only be changed explicitly by admins, not through
+            # profile forms where they might be sent as default values (e.g., isSysAdmin=False).
+            protectedFields = ["isSysAdmin"]
+            if not allowSysAdminChange:
+                for field in protectedFields:
+                    updateDict.pop(field, None)

            # Update user data using model
            updatedData = user.model_dump()