Validates Form Patch Request

Makes sure patch requests send a validated request. Signed-off-by: Hassan Abouelela <[email protected]>
author: Hassan Abouelela <[email protected]> 2021-05-30 23:24:09 +0300
committer: Hassan Abouelela <[email protected]> 2021-05-30 23:24:09 +0300
commit: 4f28ae851bc602c52252e2e2d1c50f447d7922c1 (patch)
tree: 0539fbc68aa41677409a0278f168b14be4c6bd50 /backend/routes
parent: Merge pull request #89 from python-discord/admin_endpoint (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/backend/routes/forms/form.py b/backend/routes/forms/form.py
index 1c6e44a..205b601 100644
--- a/backend/routes/forms/form.py
+++ b/backend/routes/forms/form.py
@@ -47,6 +47,7 @@ class SingleForm(Route):
 
     @requires(["authenticated", "admin"])
     @api.validate(
+        json=Form,
         resp=Response(
             HTTP_200=OkayResponse,
             HTTP_400=ErrorMessage,
@@ -61,7 +62,8 @@ class SingleForm(Route):
         form_id = {"_id": request.path_params["form_id"]}
         if raw_form := await request.state.db.forms.find_one(form_id):
             if "_id" in data or "id" in data:
-                return JSONResponse({"error": "locked_field"}, status_code=400)
+                if (data.get("id") or data.get("_id")) != form_id["_id"]:
+                    return JSONResponse({"error": "locked_field"}, status_code=400)
 
             # Build Data Merger
             merge_strategy = [
author	Hassan Abouelela <[email protected]>	2021-05-30 23:24:09 +0300
committer	Hassan Abouelela <[email protected]>	2021-05-30 23:24:09 +0300
commit	4f28ae851bc602c52252e2e2d1c50f447d7922c1 (patch)
tree	0539fbc68aa41677409a0278f168b14be4c6bd50 /backend/routes
parent	Merge pull request #89 from python-discord/admin_endpoint (diff)