Merge pull request #734 from MaddyUnderStars/fix/sanitisation

Fix users arbitrarily editing their own User object, and disallow sending messages to certain channels ( eg categories )
author: TheArcaneBrony <myrainbowdash949@gmail.com> 2022-04-22 18:12:18 +0200
committer: GitHub <noreply@github.com> 2022-04-22 18:12:18 +0200
commit: 3491d01dca9917a9860ee77163fbed4ea6ef3d94 (patch)
tree: 9eabeea3b7bc6138365f642578ffbbb9c87b3c80 /api/src/routes/users/@me
parent: Update UserGroup.ts (diff)
parent: Fix not assigning new changes to input fields in users/@me (diff)
download: server-3491d01dca9917a9860ee77163fbed4ea6ef3d94.tar.xz
1 files changed, 1 insertions, 2 deletions
diff --git a/api/src/routes/users/@me/index.ts b/api/src/routes/users/@me/index.ts
index d32b44f9..1af413c4 100644
--- a/api/src/routes/users/@me/index.ts
+++ b/api/src/routes/users/@me/index.ts
@@ -46,8 +46,6 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
 		}
 	}
 
-	user.assign(body);
-
 	if (body.new_password) {
 		if (!body.password && !user.email) {
 			throw FieldErrors({
@@ -66,6 +64,7 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
         }
     }
 
+	user.assign(body);
 	await user.save();
 
 	// @ts-ignore
author	TheArcaneBrony <myrainbowdash949@gmail.com>	2022-04-22 18:12:18 +0200
committer	GitHub <noreply@github.com>	2022-04-22 18:12:18 +0200
commit	3491d01dca9917a9860ee77163fbed4ea6ef3d94 (patch)
tree	9eabeea3b7bc6138365f642578ffbbb9c87b3c80 /api/src/routes/users/@me
parent	Update UserGroup.ts (diff)
parent	Fix not assigning new changes to input fields in users/@me (diff)
download	server-3491d01dca9917a9860ee77163fbed4ea6ef3d94.tar.xz