Skip to content

Commit

Permalink
fix: frontend sending empty fields or unmodified ones
Browse files Browse the repository at this point in the history
  • Loading branch information
@evnsh
evnsh committed Nov 14, 2024
1 parent ccb33d7 commit d30627f
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 12 deletions.
15 changes: 12 additions & 3 deletions backend/api/views/users.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@

from rest_framework_simplejwt.token_blacklist.models import OutstandingToken, BlacklistedToken

from django.contrib.auth.hashers import make_password
from django.contrib.auth.hashers import make_password, check_password
from django.shortcuts import get_object_or_404
from django.db import models, transaction
from django.db.models import Count
Expand Down Expand Up @@ -49,7 +49,7 @@ def patch(self, request, *args, **kwargs):
updated_fields = {}

for field in allowed_fields:
if field in data:
if field in data and data[field] != '':
if field == 'username' and me.oauthAccountID and data[field] != me.username:
return Response({"error": "Cannot change username for OAuth accounts."}, status=status.HTTP_400_BAD_REQUEST)
elif field == 'username' and data[field] != me.username:
Expand Down Expand Up @@ -78,7 +78,16 @@ def patch(self, request, *args, **kwargs):
updated_fields[field] = data[field]

sensitive_fields = ['password', 'phone_number', 'email']
if any(field in updated_fields for field in sensitive_fields) and me.mfaToken:
changed_sensitive_fields = [field for field in sensitive_fields if field in updated_fields]

for field in changed_sensitive_fields:
if field == 'password':
if not check_password(updated_fields[field], me.password):
changed_sensitive_fields.remove(field)
elif getattr(me, field) == updated_fields[field]:
changed_sensitive_fields.remove(field)

if changed_sensitive_fields and me.mfaToken:
otp = data.get('otp')
if not otp:
return Response({"error": "OTP is required to change sensitive information when MFA is enabled."}, status=status.HTTP_400_BAD_REQUEST)
Expand Down
17 changes: 8 additions & 9 deletions frontend/src/components/Settings/Security/Security.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ const Security = ({ user, setUser }) => {
...data,
[id]: value,
}));

}, []);

const checkSecurityRestrictions = useCallback((data, cfPassword) => {
Expand All @@ -70,11 +71,9 @@ const Security = ({ user, setUser }) => {
return t('restrictions.password.missingSpecial');
} else if (password && password !== cfPassword) {
return t('restrictions.password.noMatch');
} else if (!email) {
return t('restrictions.email.required');
} else if (email.length > 64) {
} else if (email && email.length > 64) {
return t('restrictions.email.invalidLength');
} else if (!/^[^@]+@[^@]+\.[^@]+$/.test(email)) {
} else if (email && !/^[^@]+@[^@]+\.[^@]+$/.test(email)) {
return t('restrictions.email.invalidFormat');
} else if (phone_number && !/^\+[1-9]\d{1,14}$/.test(phone_number)) {
return t('restrictions.phoneNumber.invalidFormat');
Expand All @@ -87,21 +86,21 @@ const Security = ({ user, setUser }) => {
e.preventDefault();
if (loading) return;

const submissionData = { ...formData };
const submissionData = {};

['password', 'phone_number', 'email'].forEach(field => {
if (!submissionData[field]) {
delete submissionData[field];
if (formData[field] && formData[field] !== user[field] && formData[field].trim() !== '') {
submissionData[field] = formData[field];
}
});

const errorMessage = checkSecurityRestrictions(submissionData, cfPassword);

if (errorMessage) {
setError(errorMessage);
} else if ((submissionData.password || submissionData.email || submissionData.phone_number) && has2FA) {
} else if (Object.keys(submissionData).length > 0 && has2FA) {
setShowTwoFactorAuth(true);
} else {
} else if (Object.keys(submissionData).length > 0) {
setLoading(true);
API.patch('users/@me/profile', submissionData)
.then(() => {
Expand Down

0 comments on commit d30627f

Please sign in to comment.