More precise permission checking during EditProfile requests.

This commit is contained in:
Luka Vandervelden 2020-10-02 22:03:07 +02:00
parent bda24247f0
commit 0508c99b43

View File

@ -432,8 +432,10 @@ class AuthD::Service
new_profile = request.new_profile
profile = user.profile || Hash(String, JSON::Any).new
@read_only_profile_keys.each do |key|
if new_profile.has_key? key
if new_profile[key]? != profile[key]?
return Response::Error.new "tried to edit read only key"
end
end