fix: validate password body type and coerce notification_channels to strings in PUT /api/0/users/me

2026-05-09 11:46:58 -04:00
parent 60c692cefc
commit de81751e59
1 changed files with 3 additions and 1 deletions
@@ -1195,6 +1195,8 @@ async def start(
        password_change = body.get("password")

        if password_change:
+            if not isinstance(password_change, dict):
+                return web.json_response({"error": "Invalid JSON"}, status=400)
            current_pw = password_change.get("current", "")
            new_pw = password_change.get("new", "")
            if not new_pw:
@@ -1213,7 +1215,7 @@ async def start(
            if "avatar" in body:
                user_entry["avatar"] = str(body["avatar"])
            if "notification_channels" in body:
-                user_entry["notification_channels"] = list(body["notification_channels"])
+                user_entry["notification_channels"] = [str(ch) for ch in body["notification_channels"]]
            if password_change:
                user_entry["password"] = users_mod.hash_password(password_change["new"])