fix: avoid creation of superusers

basedosdados · Jan 16, 2024 · a4bbdd6 · a4bbdd6
1 parent fcd9aff
commit a4bbdd6
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/bd_api/custom/graphql_jwt.py b/bd_api/custom/graphql_jwt.py
@@ -44,9 +44,15 @@ def ownership_required(f, exc=exceptions.PermissionDenied):
 
     def get_uid(context, exp=r"id:\s[\"]?(\d+)[\"]?"):
         try:
-            query = str(context.body).replace('\\"', "")
+            query = str(context.body).replace('\\"', "").lower()
         except Exception:
-            query = str(context._post).replace('\\"', "")
+            query = str(context._post).replace('\\"', "").lower()
+
+        if "isadmin" in query:
+            return None
+        if "issuperuser" in query:
+            return None
+
         return [int(uid) for uid in findall(exp, query)]
 
     @wraps(f)