Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-vvjv-97j8-94xh
Remove option to change organization id of an existing user
  • Loading branch information
frankcorneliusmartin committed Feb 28, 2023
2 parents c66f0a2 + 4ea1427 commit 798aca1
Showing 1 changed file with 0 additions and 22 deletions.
22 changes: 0 additions & 22 deletions vantage6-server/vantage6/server/resource/user.py
Expand Up @@ -497,9 +497,6 @@ def patch(self, id):
items:
type: integer
description: Extra rules for the user on top of the roles
organization_id:
type: integer
description: Organization id of the user
parameters:
- in: path
Expand Down Expand Up @@ -543,7 +540,6 @@ def patch(self, id):
parser.add_argument("firstname", type=str, required=False)
parser.add_argument("lastname", type=str, required=False)
parser.add_argument("email", type=str, required=False)
parser.add_argument("organization_id", type=int, required=False)
data = parser.parse_args()

# check if user defined a password, which is deprecated
Expand Down Expand Up @@ -665,24 +661,6 @@ def patch(self, id):

user.rules = rules

if data["organization_id"] and \
data["organization_id"] != g.user.organization_id:
if not self.r.e_glo.can():
return {'msg': 'You lack the permission to do that!'}, \
HTTPStatus.UNAUTHORIZED
else:
# check that newly assigned organization exists
org = db.Organization.get(data['organization_id'])
if not org:
return {'msg': 'Organization does not exist.'}, \
HTTPStatus.NOT_FOUND
else:
log.warn(
f'Running as root and assigning (new) '
f'organization_id={data["organization_id"]}'
)
user.organization_id = data["organization_id"]

try:
user.save()
except sqlalchemy.exc.IntegrityError as e:
Expand Down

0 comments on commit 798aca1

Please sign in to comment.