[BUG] Fixed mass_assignment vuln (#566)

Fixed mass_assignment vuln Co-authored-by: dastaj <78434825+dastaj@users.noreply.github.com>
2024-07-02 15:20:37 +02:00 · 2024-01-10 08:42:03 -08:00 · 2024-01-10 08:42:03 -08:00 · 8cd3a92c66
commit 8cd3a92c66
parent 259079ac58
1 changed files with 6 additions and 2 deletions
--- a/server/endpoints/invite.js
+++ b/server/endpoints/invite.js
@ -33,7 +33,7 @@ function inviteEndpoints(app) {
  app.post("/invite/:code", async (request, response) => {
    try {
      const { code } = request.params;
-      const userParams = reqBody(request);
+      const { username, password } = reqBody(request);
      const invite = await Invite.get({ code });
      if (!invite || invite.status !== "pending") {
        response
@ -42,7 +42,11 @@ function inviteEndpoints(app) {
        return;
      }

-      const { user, error } = await User.create(userParams);
+      const { user, error } = await User.create(({
+        username,
+        password,
+        role: "default",
+      }));
      if (!user) {
        console.error("Accepting invite:", error);
        response