always use your own name for registrations; except if the user has the add_different_user permission

2023-03-23 11:16:00 +01:00 · 2023-03-23 11:16:00 +01:00 · 22dfd76467
commit 22dfd76467
parent cde862f97f
1 changed files with 8 additions and 0 deletions
--- a/src/rest/restreg.rs
+++ b/src/rest/restreg.rs
@ -38,6 +38,14 @@ async fn register(
        );
    }

+    if !user.add_different_user && user.name != register.name {
+        log::error!("{} tried to register a different person, even though the user has no add_different_user flag and thus it should not be possible to do so via UI -> manually crafted request?", user.name);
+        return Flash::error(
+            Redirect::to("/"),
+            "Don't (try to ;)) abuse this system! Incident has been reported...",
+        );
+    }
+
    let user = user::Model::find_or_create_user(&register.name, db.inner()).await;

    if let Some(cox_id) = register.cox_id {