diff --git a/posthog/api/test/test_user.py b/posthog/api/test/test_user.py index 4b682b4095e7f..f88fd860c7e53 100644 --- a/posthog/api/test/test_user.py +++ b/posthog/api/test/test_user.py @@ -887,6 +887,25 @@ def assert_forbidden_url(url): assert_allowed_url("https://subdomain.otherexample.com") assert_allowed_url("https://sub.subdomain.otherexample.com") + def test_user_cannot_update_protected_fields(self): + self.user.is_staff = False + self.user.save() + fields = { + "date_joined": "2021-01-01T00:00:00Z", + "uuid": str(uuid.uuid4()), + "distinct_id": "distinct_id", + "pending_email": "changed@example.com", + "is_email_verified": True, + } + + initial_user = self.client.get("/api/users/@me/").json() + + for field, value in fields.items(): + response = self.client.patch("/api/users/@me/", {field: value}) + assert ( + response.json()[field] == initial_user[field] + ), f"Updating field '{field}' to '{value}' worked when it shouldn't! Was {initial_user[field]} and is now {response.json()[field]}" + class TestUserSlackWebhook(APIBaseTest): ENDPOINT: str = "/api/user/test_slack_webhook/" diff --git a/posthog/api/user.py b/posthog/api/user.py index 28b4a42b8620a..2c69250278ebb 100644 --- a/posthog/api/user.py +++ b/posthog/api/user.py @@ -86,7 +86,6 @@ class Meta: "pending_email", "email_opt_in", "is_email_verified", - "pending_email", "notification_settings", "anonymize_data", "toolbar_mode", @@ -107,8 +106,22 @@ class Meta: "scene_personalisation", "theme_mode", ] + + read_only_fields = [ + "date_joined", + "uuid", + "distinct_id", + "pending_email", + "is_email_verified", + "has_password", + "is_impersonated", + "team", + "organization", + "organizations", + "has_social_auth", + ] + extra_kwargs = { - "date_joined": {"read_only": True}, "password": {"write_only": True}, }