From 720eb6a93e3a8918dcb28315a5aa50195b51c016 Mon Sep 17 00:00:00 2001
From: lebaudantoine <lebaud.antoine131@gmail.com>
Date: Mon, 2 Mar 2026 14:01:07 +0100
Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F(backend)=20extract=20forbidd?=
 =?UTF-8?q?en=20permission=20fields=20from=20the=20serializer?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These fields previously triggered a suspicious operation exception
when passed to the API.

Make the list configurable so the serializer behavior can be
adjusted without requiring a new release.
---
 src/backend/core/api/serializers.py | 3 ++-
 src/backend/meet/settings.py        | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/backend/core/api/serializers.py b/src/backend/core/api/serializers.py
index 5405b1cb..ae050399 100644
--- a/src/backend/core/api/serializers.py
+++ b/src/backend/core/api/serializers.py
@@ -2,6 +2,7 @@
 
 # pylint: disable=abstract-method,no-name-in-module
 
+from django.conf import settings
 from django.core.exceptions import SuspiciousOperation
 from django.utils.translation import gettext_lazy as _
 
@@ -318,7 +319,7 @@ class UpdateParticipantSerializer(BaseParticipantsManagementSerializer):
 
         suspicious_fields = [
             field
-            for field in ("hidden", "recorder", "agent")
+            for field in settings.PARTICIPANT_FORBIDDEN_PERMISSION_FIELDS
             if getattr(permission, field) is not None
         ]
         if suspicious_fields:
diff --git a/src/backend/meet/settings.py b/src/backend/meet/settings.py
index eda28a76..937abff5 100755
--- a/src/backend/meet/settings.py
+++ b/src/backend/meet/settings.py
@@ -596,6 +596,12 @@ class Base(Configuration):
     ALLOW_UNREGISTERED_ROOMS = values.BooleanValue(
         True, environ_name="ALLOW_UNREGISTERED_ROOMS", environ_prefix=None
     )
+    # if provided, treat as suspicious (possible privilege escalation attempt).
+    PARTICIPANT_FORBIDDEN_PERMISSION_FIELDS = values.ListValue(
+        ["hidden", "recorder", "agent"],
+        environ_name="PARTICIPANT_FORBIDDEN_PERMISSION_FIELDS",
+        environ_prefix=None,
+    )
 
     # Recording settings
     RECORDING_ENABLE = values.BooleanValue(