From 4f28ae851bc602c52252e2e2d1c50f447d7922c1 Mon Sep 17 00:00:00 2001
From: Hassan Abouelela <hassan@hassanamr.com>
Date: Sun, 30 May 2021 23:24:09 +0300
Subject: Validates Form Patch Request

Makes sure patch requests send a validated request.

Signed-off-by: Hassan Abouelela <hassan@hassanamr.com>
---
 backend/routes/forms/form.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'backend/routes')

diff --git a/backend/routes/forms/form.py b/backend/routes/forms/form.py
index 1c6e44a..205b601 100644
--- a/backend/routes/forms/form.py
+++ b/backend/routes/forms/form.py
@@ -47,6 +47,7 @@ class SingleForm(Route):
 
     @requires(["authenticated", "admin"])
     @api.validate(
+        json=Form,
         resp=Response(
             HTTP_200=OkayResponse,
             HTTP_400=ErrorMessage,
@@ -61,7 +62,8 @@ class SingleForm(Route):
         form_id = {"_id": request.path_params["form_id"]}
         if raw_form := await request.state.db.forms.find_one(form_id):
             if "_id" in data or "id" in data:
-                return JSONResponse({"error": "locked_field"}, status_code=400)
+                if (data.get("id") or data.get("_id")) != form_id["_id"]:
+                    return JSONResponse({"error": "locked_field"}, status_code=400)
 
             # Build Data Merger
             merge_strategy = [
-- 
cgit v1.2.3