fix: Explicitly call out readonly user fields (#21889)

posthog/api/test/test_user.py

@@ -887,6 +887,25 @@ def assert_forbidden_url(url):
         assert_allowed_url("https://subdomain.otherexample.com")
         assert_allowed_url("https://sub.subdomain.otherexample.com")
 
+    def test_user_cannot_update_protected_fields(self):
+        self.user.is_staff = False
+        self.user.save()
+        fields = {
+            "date_joined": "2021-01-01T00:00:00Z",
+            "uuid": str(uuid.uuid4()),
+            "distinct_id": "distinct_id",
+            "pending_email": "[email protected]",
+            "is_email_verified": True,
+        }
+
+        initial_user = self.client.get("/api/users/@me/").json()
+
+        for field, value in fields.items():
+            response = self.client.patch("/api/users/@me/", {field: value})
+            assert (
+                response.json()[field] == initial_user[field]
+            ), f"Updating field '{field}' to '{value}' worked when it shouldn't! Was {initial_user[field]} and is now {response.json()[field]}"
+
 
 class TestUserSlackWebhook(APIBaseTest):
     ENDPOINT: str = "/api/user/test_slack_webhook/"

posthog/api/user.py

@@ -86,7 +86,6 @@ class Meta:
             "pending_email",
             "email_opt_in",
             "is_email_verified",
-            "pending_email",
             "notification_settings",
             "anonymize_data",
             "toolbar_mode",
@@ -107,8 +106,22 @@ class Meta:
             "scene_personalisation",
             "theme_mode",
         ]
+
+        read_only_fields = [
+            "date_joined",
+            "uuid",
+            "distinct_id",
+            "pending_email",
+            "is_email_verified",
+            "has_password",
+            "is_impersonated",
+            "team",
+            "organization",
+            "organizations",
+            "has_social_auth",
+        ]
+
         extra_kwargs = {
-            "date_joined": {"read_only": True},
             "password": {"write_only": True},
         }