From 2cc4523c6ba899744152334ce17357072c6e1967 Mon Sep 17 00:00:00 2001
From: Tore Brede <Tore.Brede@uib.no>
Date: Tue, 19 Oct 2021 12:39:07 +0200
Subject: [PATCH] GREG-85: Rejecting request if user tries to update fields he
 is not allowed to

---
 gregui/api/views/invitation.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/gregui/api/views/invitation.py b/gregui/api/views/invitation.py
index 17697630..0c2b167a 100644
--- a/gregui/api/views/invitation.py
+++ b/gregui/api/views/invitation.py
@@ -103,10 +103,14 @@ class CheckInvitationView(APIView):
 
 class InvitedGuestView(GenericAPIView):
     authentication_classes = [SessionAuthentication, BasicAuthentication]
+    # The endpoint is only for invited guests, but the authorization happens in the actual method
     permission_classes = [AllowAny]
     parser_classes = [JSONParser]
     serializer_class = GuestRegisterSerializer
 
+    # TODO Update to make dynamic based on where we get the information from. If we get some from Feide, then the user should not be allowed to change it
+    fields_allowed_to_update = ["email", "fnr", "mobile_phone"]
+
     def get(self, request, *args, **kwargs):
         """
         Endpoint for fetching data related to an invite
@@ -172,7 +176,6 @@ class InvitedGuestView(GenericAPIView):
         the guest.
         """
         invite_id = request.session.get("invite_id")
-        data = request.data
 
         # Ensure the invitation link is valid and not expired
         try:
@@ -184,6 +187,11 @@ class InvitedGuestView(GenericAPIView):
 
         person = invite_link.invitation.role.person
 
+        data = request.data
+
+        if not self.only_allowed_fields_in_request(data):
+            return Response(status=status.HTTP_400_BAD_REQUEST)
+
         with transaction.atomic():
             serializer = self.get_serializer(instance=person, data=request.data)
             serializer.is_valid(raise_exception=True)
@@ -198,3 +206,9 @@ class InvitedGuestView(GenericAPIView):
             invite_link.save()
             # TODO: Send an email to the sponsor?
         return Response(status=status.HTTP_200_OK)
+
+    def only_allowed_fields_in_request(self, request_data) -> bool:
+        number_of_fields_filled_in = sum(
+            map(lambda x: x in request_data.keys(), self.fields_allowed_to_update)
+        )
+        return number_of_fields_filled_in == len(request_data.keys())
-- 
GitLab