fix: prevents user data from being set directly if it's already defin…

…ed within the profile
dimagi · Jan 3, 2025 · 2c53356 · 2c53356
1 parent c47ea27
commit 2c53356
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/corehq/apps/api/tests/test_validation.py b/corehq/apps/api/tests/test_validation.py
@@ -5,6 +5,7 @@
 from corehq.apps.custom_data_fields.models import (
     CustomDataFieldsDefinition,
     CustomDataFieldsProfile,
+    Field,
 )
 from corehq.apps.domain.models import Domain
 from corehq.apps.users.models import WebUser
@@ -124,6 +125,10 @@ def test_validate_profile_with_no_profile_input(self):
         self.definition.profile_required_for_user_type = []
         self.definition.save()
 
+    def test_validate_profile_with_conflicting_user_data(self):
+        self.assertEqual(self.validator.validate_custom_data_with_profile({'imaginary': 'yes'}, 'character'),
+            ["'imaginary' cannot be set directly"])
+
     def test_validate_email(self):
         self.assertIsNone(self.validator.validate_email("[email protected]", True))
 

diff --git a/corehq/apps/api/validation.py b/corehq/apps/api/validation.py
@@ -17,6 +17,7 @@
 )
 from corehq.apps.users.validation import validate_primary_location_assignment
 from corehq.apps.registration.validation import AdminInvitesUserFormValidator
+from corehq.apps.custom_data_fields.models import PROFILE_SLUG
 
 
 class WebUserResourceValidator():
@@ -33,6 +34,7 @@ def is_valid(self, data, is_post):
             (self.validate_role, [data.get("role")]),
             (self.validate_profile, [data.get("profile"), is_post]),
             (self.validate_custom_data, [data.get("custom_user_data"), data.get("profile")]),
+            (self.validate_custom_data_with_profile, [data.get("custom_user_data"), data.get("profile")]),
             (self.validate_email, [data.get("email"), is_post]),
             (self.validate_locations, [data.get("username"), data.get("assigned_locations"),
                                        data.get("primary_location")]),
@@ -43,8 +45,10 @@ def is_valid(self, data, is_post):
 
         for validator, args in validators:
             error = validator(*args)
-            if error:
+            if error and isinstance(error, str):
                 errors.append(error)
+            elif isinstance(error, list):
+                errors += error
 
         return errors
 
@@ -100,6 +104,21 @@ def validate_custom_data(self, custom_data, profile_name):
         spec = {'data': custom_data, 'user_profile': profile_name}
         return custom_data_validator.validate_spec(spec)
 
+    def validate_custom_data_with_profile(self, custom_data, profile_name):
+        if custom_data is None or profile_name is None:
+            return
+
+        errors = []
+        profile = self.profiles_by_name.get(profile_name)
+
+        system_fields = set(profile.fields.keys()) if profile else set()
+        system_fields.add(PROFILE_SLUG)
+
+        for key in custom_data.keys():
+            if key in system_fields:
+                errors.append(_("'{}' cannot be set directly").format(key))
+        return errors
+
     def validate_email(self, email, is_post):
         if is_post and email is not None:
             error = AdminInvitesUserFormValidator.validate_email(self.domain, email)