From 8d65a11a4fad3a27cb82a6ae7a7bc226e8c46a4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Voron?= Date: Sat, 19 Oct 2019 18:56:54 +0200 Subject: [PATCH] Fix #17: prevent to set is_active/is_superuser on register route --- fastapi_users/router.py | 5 ++++- tests/test_router.py | 24 ++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/fastapi_users/router.py b/fastapi_users/router.py index cde1605b..b4bb10a0 100644 --- a/fastapi_users/router.py +++ b/fastapi_users/router.py @@ -42,7 +42,10 @@ def get_user_router( raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST) hashed_password = get_password_hash(user.password) - db_user = models.UserDB(**user.dict(), hashed_password=hashed_password) + db_user = models.UserDB( + **user.dict(exclude={"id", "is_superuser", "is_active"}), + hashed_password=hashed_password + ) created_user = await user_db.create(db_user) return created_user diff --git a/tests/test_router.py b/tests/test_router.py index 5731a65b..9836230f 100644 --- a/tests/test_router.py +++ b/tests/test_router.py @@ -91,6 +91,30 @@ class TestRegister: assert "password" not in response_json assert "id" in response_json + def test_valid_body_is_superuser(self, test_app_client: TestClient): + json = { + "email": "lancelot@camelot.bt", + "password": "guinevere", + "is_superuser": True, + } + response = test_app_client.post("/register", json=json) + assert response.status_code == status.HTTP_201_CREATED + + response_json = response.json() + assert response_json["is_superuser"] is False + + def test_valid_body_is_active(self, test_app_client: TestClient): + json = { + "email": "lancelot@camelot.bt", + "password": "guinevere", + "is_active": False, + } + response = test_app_client.post("/register", json=json) + assert response.status_code == status.HTTP_201_CREATED + + response_json = response.json() + assert response_json["is_active"] is True + class TestLogin: def test_empty_body(self, test_app_client: TestClient):