GREG-85: Rejecting request if user tries to update fields he is not allowed to

gregui/api/views/invitation.py

@@ -103,10 +103,14 @@ class CheckInvitationView(APIView):
 
 class InvitedGuestView(GenericAPIView):
     authentication_classes = [SessionAuthentication, BasicAuthentication]
+    # The endpoint is only for invited guests, but the authorization happens in the actual method
     permission_classes = [AllowAny]
     parser_classes = [JSONParser]
     serializer_class = GuestRegisterSerializer
 
+    # TODO Update to make dynamic based on where we get the information from. If we get some from Feide, then the user should not be allowed to change it
+    fields_allowed_to_update = ["email", "fnr", "mobile_phone"]
+
     def get(self, request, *args, **kwargs):
         """
         Endpoint for fetching data related to an invite
@@ -172,7 +176,6 @@ class InvitedGuestView(GenericAPIView):
         the guest.
         """
         invite_id = request.session.get("invite_id")
-        data = request.data
 
         # Ensure the invitation link is valid and not expired
         try:
@@ -184,6 +187,11 @@ class InvitedGuestView(GenericAPIView):
 
         person = invite_link.invitation.role.person
 
+        data = request.data
+
+        if not self.only_allowed_fields_in_request(data):
+            return Response(status=status.HTTP_400_BAD_REQUEST)
+
         with transaction.atomic():
             serializer = self.get_serializer(instance=person, data=request.data)
             serializer.is_valid(raise_exception=True)
@@ -198,3 +206,9 @@ class InvitedGuestView(GenericAPIView):
             invite_link.save()
             # TODO: Send an email to the sponsor?
         return Response(status=status.HTTP_200_OK)
+
+    def only_allowed_fields_in_request(self, request_data) -> bool:
+        number_of_fields_filled_in = sum(
+            map(lambda x: x in request_data.keys(), self.fields_allowed_to_update)
+        )
+        return number_of_fields_filled_in == len(request_data.keys())