custom_profile_fields: Restrict access to users in the same realm.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2025-11-01 20:44:04 +00:00 · 2025-03-27 02:00:50 -07:00
parent 85abd9d58b
commit 87e4b99706
2 changed files with 2 additions and 2 deletions
--- a/zerver/lib/users.py
+++ b/zerver/lib/users.py
@@ -526,7 +526,7 @@ def validate_user_custom_profile_data(
    for item in profile_data:
        field_id = item["id"]
        try:
-            field = CustomProfileField.objects.get(id=field_id)
+            field = CustomProfileField.objects.get(realm_id=realm_id, id=field_id)
        except CustomProfileField.DoesNotExist:
            raise JsonableError(_("Field id {id} not found.").format(id=field_id))