Fix #17: prevent to set is_active/is_superuser on register route

fastapi_users/router.py

@@ -42,7 +42,10 @@ def get_user_router(
             raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST)
 
         hashed_password = get_password_hash(user.password)
-        db_user = models.UserDB(**user.dict(), hashed_password=hashed_password)
+        db_user = models.UserDB(
+            **user.dict(exclude={"id", "is_superuser", "is_active"}),
+            hashed_password=hashed_password
+        )
         created_user = await user_db.create(db_user)
         return created_user
 

tests/test_router.py

@@ -91,6 +91,30 @@ class TestRegister:
         assert "password" not in response_json
         assert "id" in response_json
 
+    def test_valid_body_is_superuser(self, test_app_client: TestClient):
+        json = {
+            "email": "lancelot@camelot.bt",
+            "password": "guinevere",
+            "is_superuser": True,
+        }
+        response = test_app_client.post("/register", json=json)
+        assert response.status_code == status.HTTP_201_CREATED
+
+        response_json = response.json()
+        assert response_json["is_superuser"] is False
+
+    def test_valid_body_is_active(self, test_app_client: TestClient):
+        json = {
+            "email": "lancelot@camelot.bt",
+            "password": "guinevere",
+            "is_active": False,
+        }
+        response = test_app_client.post("/register", json=json)
+        assert response.status_code == status.HTTP_201_CREATED
+
+        response_json = response.json()
+        assert response_json["is_active"] is True
+
 
 class TestLogin:
     def test_empty_body(self, test_app_client: TestClient):