From d6cc6770b84a7d5a746be7fa0587cacd4db5feeb Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Fri, 18 Sep 2020 18:15:33 +0200 Subject: [PATCH] stages/user_write: fix data being saved as attributes without intent --- passbook/stages/user_write/stage.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/passbook/stages/user_write/stage.py b/passbook/stages/user_write/stage.py index d6f9a7fc3..bbfdd78fe 100644 --- a/passbook/stages/user_write/stage.py +++ b/passbook/stages/user_write/stage.py @@ -51,8 +51,12 @@ class UserWriteStageView(StageView): # User has this key already elif hasattr(user, key): setattr(user, key, value) - # Otherwise we just save it as custom attribute + # Otherwise we just save it as custom attribute, but only if the value is prefixed with + # `attribute_`, to prevent accidentally saving values else: + if not key.startswith("attribute_"): + LOGGER.debug("discarding key", key=key) + continue user.attributes[key] = value user.save() user_write.send(sender=self, request=request, user=user, data=data)