From 22dfd764677c2c7d140d6c386f3459f9e9fec513 Mon Sep 17 00:00:00 2001
From: philipp <philipp@hofer.link>
Date: Thu, 23 Mar 2023 11:16:00 +0100
Subject: [PATCH] always use your own name for registrations; except if the
 user has the add_different_user permission

---
 src/rest/restreg.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/rest/restreg.rs b/src/rest/restreg.rs
index 579b9aa..fe9e507 100644
--- a/src/rest/restreg.rs
+++ b/src/rest/restreg.rs
@@ -38,6 +38,14 @@ async fn register(
         );
     }
 
+    if !user.add_different_user && user.name != register.name {
+        log::error!("{} tried to register a different person, even though the user has no add_different_user flag and thus it should not be possible to do so via UI -> manually crafted request?", user.name);
+        return Flash::error(
+            Redirect::to("/"),
+            "Don't (try to ;)) abuse this system! Incident has been reported...",
+        );
+    }
+
     let user = user::Model::find_or_create_user(&register.name, db.inner()).await;
 
     if let Some(cox_id) = register.cox_id {