Validate that a user can't patch their team id (#1947)

* Prevent users from PATCH'ing their team id
2025-12-17 22:14:25 +01:00 · 2021-07-15 12:11:30 -04:00
parent dbc0a7569f
commit 58dfe15fe6
2 changed files with 19 additions and 1 deletions
--- a/tests/api/v1/test_users.py
+++ b/tests/api/v1/test_users.py
@@ -14,6 +14,7 @@ from tests.helpers import (
    gen_challenge,
    gen_fail,
    gen_solve,
+    gen_team,
    gen_user,
    login_as_user,
    register_user,
@@ -919,3 +920,20 @@ def test_api_user_get_schema():
                UserSchema.views["user"] + ["score", "place"]
            )
    destroy_ctfd(app)
+
+
+def test_api_user_patch_team_id():
+    """Users can't patch their team_id directly"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+        gen_team(app.db)
+
+        with login_as_user(app) as client:
+            data = {
+                "team_id": 1,
+            }
+            r = client.patch("/api/v1/users/me", json=data)
+            data = r.get_json()
+            assert data["data"]["team_id"] is None
+    destroy_ctfd(app)