core: fix UserSelfSerializer's save() overwriting other user attributes

closes #2070 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-01-06 18:23:06 +01:00 · 2022-01-06 18:23:06 +01:00 · 03503363e5
parent 22d6621b02
commit 03503363e5
2 changed files with 14 additions and 0 deletions
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -156,6 +156,13 @@ class UserSelfSerializer(ModelSerializer):
            raise ValidationError("Not allowed to change username.")
        return username

+    def save(self, **kwargs):
+        if self.instance:
+            attributes: dict = self.instance.attributes
+            attributes.update(self.validated_data.get("attributes", {}))
+            self.validated_data["attributes"] = attributes
+        return super().save(**kwargs)
+
    class Meta:

        model = User
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -24,11 +24,18 @@ class TestUsersAPI(APITestCase):

    def test_update_self(self):
        """Test update_self"""
+        self.admin.attributes["foo"] = "bar"
+        self.admin.save()
+        self.admin.refresh_from_db()
        self.client.force_login(self.admin)
        response = self.client.put(
            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
        )
+        self.admin.refresh_from_db()
        self.assertEqual(response.status_code, 200)
+        self.assertEqual(self.admin.attributes["foo"], "bar")
+        self.assertEqual(self.admin.username, "foo")
+        self.assertEqual(self.admin.name, "foo")

    def test_update_self_name_denied(self):
        """Test update_self"""