From f8cdc36c212437da48f64da3bd9c533971a96c35 Mon Sep 17 00:00:00 2001
From: binh-dam-ibigroup <56846598+binh-dam-ibigroup@users.noreply.github.com>
Date: Mon, 20 Nov 2023 16:48:14 -0500
Subject: [PATCH] fix(AbstractUserController): Prevent some OtpUser fields from
 being written from web request.

---
 .../controllers/api/AbstractUserController.java           | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/opentripplanner/middleware/controllers/api/AbstractUserController.java b/src/main/java/org/opentripplanner/middleware/controllers/api/AbstractUserController.java
index d15dc274e..01860b629 100644
--- a/src/main/java/org/opentripplanner/middleware/controllers/api/AbstractUserController.java
+++ b/src/main/java/org/opentripplanner/middleware/controllers/api/AbstractUserController.java
@@ -139,8 +139,14 @@ U preUpdateHook(U user, U preExistingUser, Request req) {
             }
 
             // Include select attributes from existingOtpUser marked @JsonIgnore and
-            // that are not set in otpUser.
+            // that are not set in otpUser, and other attributes that should not be modifiable
+            // using web requests.
             otpUser.smsConsentDate = existingOtpUser.smsConsentDate;
+            otpUser.email = existingOtpUser.email;
+            otpUser.auth0UserId = existingOtpUser.auth0UserId;
+            otpUser.isDataToolsUser = existingOtpUser.isDataToolsUser;
+            otpUser.pushDevices = existingOtpUser.pushDevices;
+
         }
         return user;
     }