Prevent users from nulling out profile values (#1125)

* Prevent users from nulling out profile values
2025-12-17 14:04:20 +01:00 · 2019-10-02 01:22:54 -04:00
parent b8c1970b8e
commit b15f1787e4
4 changed files with 45 additions and 0 deletions
--- a/tests/api/v1/test_users.py
+++ b/tests/api/v1/test_users.py
@@ -427,6 +427,13 @@ def test_api_user_change_name():
            assert resp["data"]["name"] == "user2"
            assert resp["success"] is True

+            r = client.patch("/api/v1/users/me", json={"name": None})
+            resp = r.get_json()
+            print(resp)
+            assert r.status_code == 400
+            assert resp["errors"]["name"] == ["Field may not be null."]
+            assert resp["success"] is False
+
            set_config("name_changes", False)

            r = client.patch("/api/v1/users/me", json={"name": "new_name"})
@@ -444,6 +451,32 @@ def test_api_user_change_name():
    destroy_ctfd(app)


+def test_api_user_change_email():
+    """Test that users can change their email via the API"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+        user = Users.query.filter_by(id=2).first()
+        app.db.session.commit()
+        with login_as_user(app) as client:
+            # Test users can't submit null
+            r = client.patch("/api/v1/users/me", json={"email": None, "confirm": "password"})
+            resp = r.get_json()
+            print(resp)
+            assert r.status_code == 400
+            assert resp["errors"]["email"] == ["Field may not be null."]
+
+            # Test users can exercise the API
+            r = client.patch("/api/v1/users/me", json={"email": "new_email@email.com", "confirm": "password"})
+            assert r.status_code == 200
+            resp = r.get_json()
+            assert resp["data"]["email"] == "new_email@email.com"
+            assert resp["success"] is True
+            user = Users.query.filter_by(id=2).first()
+            assert user.email == "new_email@email.com"
+    destroy_ctfd(app)
+
+
 def test_api_user_change_verify_email():
    """Test that users are marked unconfirmed if they change their email and verify_emails is turned on"""
    app = create_ctfd()