paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-02 13:03:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

custom_profile_fields: Restrict access to users in the same realm.

Browse Source 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg
2025-03-27 02:00:50 -07:00
committed by Tim Abbott
parent 85abd9d58b
commit 87e4b99706
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
zerver/lib/users.py
View File

@@ -526,7 +526,7 @@ def validate_user_custom_profile_data(
for item in profile_data:
field_id = item["id"]
try:
field = CustomProfileField.objects.get(id=field_id)
field = CustomProfileField.objects.get(realm_id=realm_id, id=field_id)
except CustomProfileField.DoesNotExist:
raise JsonableError(_("Field id {id} not found.").format(id=field_id))

2
zerver/views/custom_profile_fields.py
View File

@@ -220,7 +220,7 @@ def delete_realm_custom_profile_field(
request: HttpRequest, user_profile: UserProfile, field_id: int
) -> HttpResponse:
try:
field = CustomProfileField.objects.get(id=field_id)
field = CustomProfileField.objects.get(realm_id=user_profile.realm_id, id=field_id)
except CustomProfileField.DoesNotExist:
raise JsonableError(_("Field id {id} not found.").format(id=field_id))