From 03503363e567edf3a2823833aad85a6696428168 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 6 Jan 2022 18:23:06 +0100 Subject: [PATCH] core: fix UserSelfSerializer's save() overwriting other user attributes closes #2070 Signed-off-by: Jens Langhammer --- authentik/core/api/users.py | 7 +++++++ authentik/core/tests/test_users_api.py | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py index e5a6e916e..69eab3d25 100644 --- a/authentik/core/api/users.py +++ b/authentik/core/api/users.py @@ -156,6 +156,13 @@ class UserSelfSerializer(ModelSerializer): raise ValidationError("Not allowed to change username.") return username + def save(self, **kwargs): + if self.instance: + attributes: dict = self.instance.attributes + attributes.update(self.validated_data.get("attributes", {})) + self.validated_data["attributes"] = attributes + return super().save(**kwargs) + class Meta: model = User diff --git a/authentik/core/tests/test_users_api.py b/authentik/core/tests/test_users_api.py index c4b633372..4134c86fa 100644 --- a/authentik/core/tests/test_users_api.py +++ b/authentik/core/tests/test_users_api.py @@ -24,11 +24,18 @@ class TestUsersAPI(APITestCase): def test_update_self(self): """Test update_self""" + self.admin.attributes["foo"] = "bar" + self.admin.save() + self.admin.refresh_from_db() self.client.force_login(self.admin) response = self.client.put( reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"} ) + self.admin.refresh_from_db() self.assertEqual(response.status_code, 200) + self.assertEqual(self.admin.attributes["foo"], "bar") + self.assertEqual(self.admin.username, "foo") + self.assertEqual(self.admin.name, "foo") def test_update_self_name_denied(self): """Test update_self"""