From 45fc2d4a61c4e0a75c146fcd811cba2abc08ea86 Mon Sep 17 00:00:00 2001
From: Sam Oehlert <soehlert@es.net>
Date: Mon, 7 Apr 2025 15:55:39 -0500
Subject: [PATCH 1/2] fix(username-changes): remove updatemodelmixin so that
 users cant change their own username over API

this was part of the pentest report
---
 scram/users/api/views.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scram/users/api/views.py b/scram/users/api/views.py
index 0e17cb54..1ddad88a 100644
--- a/scram/users/api/views.py
+++ b/scram/users/api/views.py
@@ -3,7 +3,7 @@
 from django.contrib.auth import get_user_model
 from rest_framework import status
 from rest_framework.decorators import action
-from rest_framework.mixins import ListModelMixin, RetrieveModelMixin, UpdateModelMixin
+from rest_framework.mixins import ListModelMixin, RetrieveModelMixin
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet
 
@@ -12,7 +12,7 @@
 User = get_user_model()
 
 
-class UserViewSet(RetrieveModelMixin, ListModelMixin, UpdateModelMixin, GenericViewSet):
+class UserViewSet(RetrieveModelMixin, ListModelMixin, GenericViewSet):
     """Lookup Users by username."""
 
     serializer_class = UserSerializer

From 329a9efd7121cdc30bad1f9731fb8e827af68717 Mon Sep 17 00:00:00 2001
From: Sam Oehlert <soehlert@es.net>
Date: Mon, 7 Apr 2025 15:56:47 -0500
Subject: [PATCH 2/2] test(username-change): test to make sure we dont allow
 users to update their own username in the API

---
 scram/users/tests/test_drf_views.py | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/scram/users/tests/test_drf_views.py b/scram/users/tests/test_drf_views.py
index bbe56598..e6d6f490 100644
--- a/scram/users/tests/test_drf_views.py
+++ b/scram/users/tests/test_drf_views.py
@@ -2,6 +2,8 @@
 
 import pytest
 from django.test import RequestFactory
+from django.urls import reverse
+from rest_framework.test import APIClient
 
 from scram.users.api.views import UserViewSet
 from scram.users.models import User
@@ -37,3 +39,26 @@ def test_me(self, user: User, rf: RequestFactory):
             "name": user.name,
             "url": f"http://testserver/api/v1/users/{user.username}/",
         }
+
+    def test_user_cannot_update_name(self):
+        """Test that users cannot update their name via the API."""
+        client = APIClient()
+
+        original_name = "testuser"
+        test_user = User.objects.create_user(
+            username=original_name,
+            password="password123",
+        )
+
+        # Authenticate as this user
+        client.force_authenticate(user=test_user)
+
+        # Try to update name using PUT
+        url = reverse("users:detail", kwargs={"username": test_user.username})
+        update_data = {"username": "New Name"}
+
+        client.put(url, update_data)
+
+        # Confirm user's name wasn't changed in the database
+        test_user.refresh_from_db()
+        assert test_user.username == original_name