diff --git a/gregui/api/views/invitation.py b/gregui/api/views/invitation.py
index 176976302487930c0f415d87363b6f0002db152f..0c2b167a7a63422a2eb9207e7c9fb3eeb8067792 100644
--- a/gregui/api/views/invitation.py
+++ b/gregui/api/views/invitation.py
@@ -103,10 +103,14 @@ class CheckInvitationView(APIView):
class InvitedGuestView(GenericAPIView):
authentication_classes = [SessionAuthentication, BasicAuthentication]
+ # The endpoint is only for invited guests, but the authorization happens in the actual method
permission_classes = [AllowAny]
parser_classes = [JSONParser]
serializer_class = GuestRegisterSerializer
+ # TODO Update to make dynamic based on where we get the information from. If we get some from Feide, then the user should not be allowed to change it
+ fields_allowed_to_update = ["email", "fnr", "mobile_phone"]
+
def get(self, request, *args, **kwargs):
"""
Endpoint for fetching data related to an invite
@@ -172,7 +176,6 @@ class InvitedGuestView(GenericAPIView):
the guest.
"""
invite_id = request.session.get("invite_id")
- data = request.data
# Ensure the invitation link is valid and not expired
try:
@@ -184,6 +187,11 @@ class InvitedGuestView(GenericAPIView):
person = invite_link.invitation.role.person
+ data = request.data
+
+ if not self.only_allowed_fields_in_request(data):
+ return Response(status=status.HTTP_400_BAD_REQUEST)
+
with transaction.atomic():
serializer = self.get_serializer(instance=person, data=request.data)
serializer.is_valid(raise_exception=True)
@@ -198,3 +206,9 @@ class InvitedGuestView(GenericAPIView):
invite_link.save()
# TODO: Send an email to the sponsor?
return Response(status=status.HTTP_200_OK)
+
+ def only_allowed_fields_in_request(self, request_data) -> bool:
+ number_of_fields_filled_in = sum(
+ map(lambda x: x in request_data.keys(), self.fields_allowed_to_update)
+ )
+ return number_of_fields_filled_in == len(request_data.keys())