From 9aefd49d7534f3a756ce823e6c6b2ae291f58901 Mon Sep 17 00:00:00 2001 From: Hira Ijaz <146934091+Hira-Ijaz@users.noreply.github.com> Date: Thu, 28 Mar 2024 02:07:59 +0500 Subject: [PATCH 1/3] Allow users to edit their profiles --- usaon_benefit_tool/routes/user.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usaon_benefit_tool/routes/user.py b/usaon_benefit_tool/routes/user.py index 836ab758..7b461f4d 100644 --- a/usaon_benefit_tool/routes/user.py +++ b/usaon_benefit_tool/routes/user.py @@ -31,7 +31,8 @@ def get(user_id: str): @user_bp.route('/', methods=['POST']) @login_required def post(user_id: str): - forbid_except_for_roles([RoleName.ADMIN]) + if user_id != request.form['id']: + forbid_except_for_roles([RoleName.ADMIN]) user = db.get_or_404(User, user_id) form = Form(request.form, obj=user) From cf45b9e48486ac5b7ce587d272133805670248e1 Mon Sep 17 00:00:00 2001 From: Hira Ijaz <146934091+Hira-Ijaz@users.noreply.github.com> Date: Thu, 28 Mar 2024 05:14:28 +0500 Subject: [PATCH 2/3] Improve profile update validation: restrict non-admin user access --- usaon_benefit_tool/routes/user.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usaon_benefit_tool/routes/user.py b/usaon_benefit_tool/routes/user.py index 7b461f4d..4f28dd23 100644 --- a/usaon_benefit_tool/routes/user.py +++ b/usaon_benefit_tool/routes/user.py @@ -31,7 +31,7 @@ def get(user_id: str): @user_bp.route('/', methods=['POST']) @login_required def post(user_id: str): - if user_id != request.form['id']: + if user_id != current_user.id and current_user.role_id != RoleName.ADMIN: forbid_except_for_roles([RoleName.ADMIN]) user = db.get_or_404(User, user_id) From b59f98120465c36ea4ffb8f7e7cca132bdc4fbe7 Mon Sep 17 00:00:00 2001 From: Hira Ijaz <146934091+Hira-Ijaz@users.noreply.github.com> Date: Thu, 28 Mar 2024 05:47:46 +0500 Subject: [PATCH 3/3] Remove admin role check Co-authored-by: Matt Fisher --- usaon_benefit_tool/routes/user.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usaon_benefit_tool/routes/user.py b/usaon_benefit_tool/routes/user.py index 4f28dd23..ba3a277e 100644 --- a/usaon_benefit_tool/routes/user.py +++ b/usaon_benefit_tool/routes/user.py @@ -31,7 +31,7 @@ def get(user_id: str): @user_bp.route('/', methods=['POST']) @login_required def post(user_id: str): - if user_id != current_user.id and current_user.role_id != RoleName.ADMIN: + if user_id != current_user.id: forbid_except_for_roles([RoleName.ADMIN]) user = db.get_or_404(User, user_id)