From 58bbe470fdb99cdac2f2cf4266d363da825e2145 Mon Sep 17 00:00:00 2001 From: Bai Date: Tue, 16 Jun 2026 17:42:29 +0800 Subject: [PATCH] fix: profile password patch method not allowed --- apps/users/api/profile.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apps/users/api/profile.py b/apps/users/api/profile.py index 90bac5509..0ea8c1baa 100644 --- a/apps/users/api/profile.py +++ b/apps/users/api/profile.py @@ -70,6 +70,8 @@ class UserProfileApi(generics.RetrieveUpdateAPIView): class UserPasswordApi(generics.RetrieveUpdateAPIView): permission_classes = (IsAuthenticated,) serializer_class = serializers.UserUpdatePasswordSerializer + # patch 方法不允许,否则 old_password 不传会导致用户直接修改密码成功,安全风险大 + http_method_names = ['put', 'head', 'options'] def get_object(self): return self.request.user