🔒️(backend) remove owner as valid role for ask_for_access serializer

When a ask_for_access creation is made, we explicitly remove the owner role to prevent role escalation.
2025-11-12 11:58:50 +01:00
parent 8799b4aa2f
commit bf68a5ae40
3 changed files with 33 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,10 @@ and this project adheres to
 - 🐛(frontend) fix pdf embed to use full width #1526
 - 🐛(pdf) fix table cell alignment issue in exported documents #1582

+### Security
+
+- mitigate role escalation in the ask_for_access viewset #1580
+
 ## [3.9.0] - 2025-11-10

 ### Added