Fix user update security vulnerability (#615)

kir-dev · Apr 9, 2021 · b2b1719 · b2b1719
1 parent 06847d8
commit b2b1719
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/components/users/user.service.ts b/src/components/users/user.service.ts
@@ -42,7 +42,8 @@ export const updateRole = asyncWrapper(async (req: Request, res: Response, next:
 
 export const updateUser = asyncWrapper(async (req: Request, res: Response, next: NextFunction) => {
  const id = (req.user as User).id
- req.user = await User.query().patchAndFetchById(id, { ...req.body })
+ const { floor } = req.body
+ req.user = await User.query().patchAndFetchById(id, { floor })
 
  next()
 })