🔒 🔈 Plug a security vulnerability and alert users to deprecated endpoint

CHANGELOG.rst

@@ -8,6 +8,10 @@ Changes
 -------
 Unreleased
 ==========
+2019-01-17: v0.7.6
+^^^^^^^^^^^^^^^^^^
+* :lock: Stop exposing sensitive data in deprecated `PUT /user/{:id}`
+
 2019-12-18: v0.7.5
 ^^^^^^^^^^^^^^^^^^
 * :racehorse: Check if user requesting user list is a coordinator just once

girderformindlogger/api/v1/user.py

@@ -669,7 +669,6 @@ def getUsersDetails(self):
         return {'nUsers': nUsers}
 
     @access.user
-    @filtermodel(model=UserModel)
     @autoDescribeRoute(
         Description("Update a user's information.")
         .modelParam('id', model=UserModel, level=AccessType.WRITE)
@@ -714,7 +713,8 @@ def updateUser(
         status=None,
         firstName=None,
         lastName=None
-    ): # 🔥 delete firstName and lastName once fully deprecated
+    ):
+        # 🔥 delete firstName and lastName once fully deprecated
         user['firstName'] = displayName if len(
             displayName
         ) else firstName if firstName is not None else ""
@@ -727,16 +727,25 @@ def updateUser(
             elif user['admin'] is not admin:
                 raise AccessException('Only admins may change admin status.')
 
-        # Only admins can change status
-        if status is not None and status != user.get('status', 'enabled'):
-            if not self.getCurrentUser()['admin']:
-                raise AccessException('Only admins may change status.')
-            if user['status'] == 'pending' and status == 'enabled':
-                # Send email on the 'pending' -> 'enabled' transition
-                self._model._sendApprovedEmail(user)
-            user['status'] = status
+            # Only admins can change status
+            if status is not None and status != user.get('status', 'enabled'):
+                if not self.getCurrentUser()['admin']:
+                    raise AccessException('Only admins may change status.')
+                if user['status'] == 'pending' and status == 'enabled':
+                    # Send email on the 'pending' -> 'enabled' transition
+                    self._model._sendApprovedEmail(user)
+                user['status'] = status
 
-        return self._model.save(user)
+        try:
+            self._model.save(user)
+        except:
+            raise RestException(
+                'Update failed, and `PUT /user/{:id}` is deprecated.'
+            )
+
+        return(
+            {'message': 'Update saved, but `PUT /user/{:id}` is deprecated.'}
+        )
 
     @access.admin
     @autoDescribeRoute(

girderformindlogger/models/user.py

@@ -58,6 +58,9 @@ def validate(self, doc):
         """
         Validate the user every time it is stored in the database.
         """
+        for s in ['email', 'displayName', 'firstName']:
+            if s in doc and doc[s] is None:
+                doc[s] = ''
         doc['login'] = doc.get('login', '').lower().strip()
         doc['email'] = doc.get('email', '').lower().strip()
         doc['displayName'] = doc.get(