From 4c91bd76077f786495066b7f12db87a17fbfaf6b Mon Sep 17 00:00:00 2001 From: ValueOn AG Date: Tue, 27 Jan 2026 00:28:31 +0100 Subject: [PATCH] fixes --- modules/interfaces/interfaceDbApp.py | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/modules/interfaces/interfaceDbApp.py b/modules/interfaces/interfaceDbApp.py index 250b2a38..1f1d1e53 100644 --- a/modules/interfaces/interfaceDbApp.py +++ b/modules/interfaces/interfaceDbApp.py @@ -742,8 +742,16 @@ class AppObjects: logger.error(f"Unexpected error creating user: {str(e)}") raise ValueError(f"Failed to create user: {str(e)}") - def updateUser(self, userId: str, updateData: Union[Dict[str, Any], User]) -> User: - """Update a user's information""" + def updateUser(self, userId: str, updateData: Union[Dict[str, Any], User], allowSysAdminChange: bool = False) -> User: + """Update a user's information. + + Args: + userId: ID of the user to update + updateData: User data to update (dict or User model) + allowSysAdminChange: If True, allows changing isSysAdmin field. + Only set to True when called by a SysAdmin explicitly + changing another user's admin status. + """ try: # Get user user = self.getUser(userId) @@ -758,6 +766,14 @@ class AppObjects: # Remove id field from updateDict if present - we'll use userId from parameter updateDict.pop("id", None) + + # SECURITY: Protect sensitive fields from being overwritten by profile updates. + # These fields should only be changed explicitly by admins, not through + # profile forms where they might be sent as default values (e.g., isSysAdmin=False). + protectedFields = ["isSysAdmin"] + if not allowSysAdminChange: + for field in protectedFields: + updateDict.pop(field, None) # Update user data using model updatedData = user.model_dump()