Validate that a user can't patch their team id (#1947)

* Prevent users from PATCH'ing their team id

CTFd/schemas/users.py

@@ -16,7 +16,7 @@ class UserSchema(ma.ModelSchema):
     class Meta:
         model = Users
         include_fk = True
-        dump_only = ("id", "oauth_id", "created")
+        dump_only = ("id", "oauth_id", "created", "team_id")
         load_only = ("password",)
 
     name = field_for(

tests/api/v1/test_users.py

@@ -14,6 +14,7 @@ from tests.helpers import (
     gen_challenge,
     gen_fail,
     gen_solve,
+    gen_team,
     gen_user,
     login_as_user,
     register_user,
@@ -919,3 +920,20 @@ def test_api_user_get_schema():
                 UserSchema.views["user"] + ["score", "place"]
             )
     destroy_ctfd(app)
+
+
+def test_api_user_patch_team_id():
+    """Users can't patch their team_id directly"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+        gen_team(app.db)
+
+        with login_as_user(app) as client:
+            data = {
+                "team_id": 1,
+            }
+            r = client.patch("/api/v1/users/me", json=data)
+            data = r.get_json()
+            assert data["data"]["team_id"] is None
+    destroy_ctfd(app)