paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-02 04:53:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

custom_profile: Prevent bot users from accessing endpoint.

Browse Source
This commit is contained in:
Tim Abbott
2017-07-31 11:30:08 -07:00
parent 93261e14b7
commit 9bf02fb913
2 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
zerver/tests/test_decorators.py
View File

@@ -1026,6 +1026,7 @@ class TestHumanUsersOnlyDecorator(ZulipTestCase):
"/api/v1/settings/display",
"/api/v1/settings/notifications",
"/api/v1/settings/ui",
"/api/v1/users/me/profile_data"
]
for endpoint in patch_endpoints:
result = self.client_patch(endpoint, **self.api_auth('default-bot@zulip.com'))

4
zerver/views/custom_profile_fields.py
View File

@@ -8,7 +8,8 @@ from django.db import IntegrityError, connection
from django.http import HttpRequest, HttpResponse
from django.utils.translation import ugettext as _
from zerver.decorator import has_request_variables, REQ, require_realm_admin
from zerver.decorator import has_request_variables, REQ, require_realm_admin, \
human_users_only
from zerver.lib.actions import (try_add_realm_custom_profile_field,
do_remove_realm_custom_profile_field,
try_update_realm_custom_profile_field,
@@ -77,6 +78,7 @@ def update_realm_custom_profile_field(request, user_profile, field_id,
return json_error(_('A field with that name already exists.'))
return json_success()
@human_users_only
@has_request_variables
def update_user_custom_profile_data(
request,