From 8cd3a92c660b202655d99bee90b2864694c99946 Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Wed, 10 Jan 2024 08:42:03 -0800
Subject: [PATCH] [BUG] Fixed mass_assignment vuln (#566)

Fixed mass_assignment vuln

Co-authored-by: dastaj <78434825+dastaj@users.noreply.github.com>
---
 server/endpoints/invite.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/server/endpoints/invite.js b/server/endpoints/invite.js
index 08f9a14e..c5c34451 100644
--- a/server/endpoints/invite.js
+++ b/server/endpoints/invite.js
@@ -33,7 +33,7 @@ function inviteEndpoints(app) {
   app.post("/invite/:code", async (request, response) => {
     try {
       const { code } = request.params;
-      const userParams = reqBody(request);
+      const { username, password } = reqBody(request);
       const invite = await Invite.get({ code });
       if (!invite || invite.status !== "pending") {
         response
@@ -42,7 +42,11 @@ function inviteEndpoints(app) {
         return;
       }
 
-      const { user, error } = await User.create(userParams);
+      const { user, error } = await User.create(({
+        username,
+        password,
+        role: "default",
+      }));
       if (!user) {
         console.error("Accepting invite:", error);
         response