fix(AbstractUserController): Prevent some OtpUser fields from being w…

…ritten from web request.
ibi-group · Nov 20, 2023 · f8cdc36 · f8cdc36
1 parent 54ccad7
commit f8cdc36
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/main/java/org/opentripplanner/middleware/controllers/api/AbstractUserController.java b/src/main/java/org/opentripplanner/middleware/controllers/api/AbstractUserController.java
@@ -139,8 +139,14 @@ U preUpdateHook(U user, U preExistingUser, Request req) {
             }
 
             // Include select attributes from existingOtpUser marked @JsonIgnore and
-            // that are not set in otpUser.
+            // that are not set in otpUser, and other attributes that should not be modifiable
+            // using web requests.
             otpUser.smsConsentDate = existingOtpUser.smsConsentDate;
+            otpUser.email = existingOtpUser.email;
+            otpUser.auth0UserId = existingOtpUser.auth0UserId;
+            otpUser.isDataToolsUser = existingOtpUser.isDataToolsUser;
+            otpUser.pushDevices = existingOtpUser.pushDevices;
+
         }
         return user;
     }