andreas/heartbeat
Public Access
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases 44 Wiki Activity

fix: validate password body type and coerce notification_channels to strings in PUT /api/0/users/me

Browse Source
This commit is contained in:
Andreas Wrede
2026-05-09 11:46:58 -04:00
parent 60c692cefc
commit de81751e59
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hbd/server/http.py
+3 -1
View File
@@ -1195,6 +1195,8 @@ async def start(
password_change = body.get("password") password_change = body.get("password")
if password_change: if password_change:
if not isinstance(password_change, dict):
return web.json_response({"error": "Invalid JSON"}, status=400)
current_pw = password_change.get("current", "") current_pw = password_change.get("current", "")
new_pw = password_change.get("new", "") new_pw = password_change.get("new", "")
if not new_pw: if not new_pw:
@@ -1213,7 +1215,7 @@ async def start(
if "avatar" in body: if "avatar" in body:
user_entry["avatar"] = str(body["avatar"]) user_entry["avatar"] = str(body["avatar"])
if "notification_channels" in body: if "notification_channels" in body:
user_entry["notification_channels"] = list(body["notification_channels"]) user_entry["notification_channels"] = [str(ch) for ch in body["notification_channels"]]
if password_change: if password_change:
user_entry["password"] = users_mod.hash_password(password_change["new"]) user_entry["password"] = users_mod.hash_password(password_change["new"])