Merge pull request #9116 from OpenMined/protect_user_fields

Forbid changing user delete, created and updated dates using the API.
OpenMined · Aug 1, 2024 · 91a4e61 · 91a4e61
2 parents fd3b768 + c8a1245
commit 91a4e61
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/packages/syft/src/syft/service/user/user_service.py b/packages/syft/src/syft/service/user/user_service.py
@@ -492,6 +492,20 @@ def update(
         # Get user to be updated by its UID
         result = self.stash.get_by_uid(credentials=context.credentials, uid=uid)
 
+        immutable_fields = {"created_date", "updated_date", "deleted_date"}
+        updated_fields = user_update.to_dict(
+            exclude_none=True, exclude_empty=True
+        ).keys()
+
+        for field_name in immutable_fields:
+            if field_name in updated_fields:
+                return SyftError(
+                    message=f"You are not allowed to modify '{field_name}'."
+                )
+
+        if user_update.name is not Empty and user_update.name.strip() == "":  # type: ignore[comparison-overlap]
+            return SyftError(message="Name can't be an empty string.")
+
         # check if the email already exists (with root's key)
         if user_update.email is not Empty:
             user_with_email_exists: bool = self.stash.email_exists(