♻️(backend) extract forbidden permission fields from the serializer

These fields previously triggered a suspicious operation exception when passed to the API. Make the list configurable so the serializer behavior can be adjusted without requiring a new release.
2026-03-02 14:01:07 +01:00
parent bfbf253033
commit 720eb6a93e
2 changed files with 8 additions and 1 deletions
--- a/src/backend/core/api/serializers.py
+++ b/src/backend/core/api/serializers.py
@@ -2,6 +2,7 @@
 # pylint: disable=abstract-method,no-name-in-module
 from django.conf import settings
 from django.core.exceptions import SuspiciousOperation
 from django.utils.translation import gettext_lazy as _
@@ -318,7 +319,7 @@ class UpdateParticipantSerializer(BaseParticipantsManagementSerializer):
        suspicious_fields = [
            field
-            for field in ("hidden", "recorder", "agent")
+            for field in settings.PARTICIPANT_FORBIDDEN_PERMISSION_FIELDS
            if getattr(permission, field) is not None
        ]
        if suspicious_fields:
--- a/src/backend/meet/settings.py
+++ b/src/backend/meet/settings.py
@@ -596,6 +596,12 @@ class Base(Configuration):
    ALLOW_UNREGISTERED_ROOMS = values.BooleanValue(
        True, environ_name="ALLOW_UNREGISTERED_ROOMS", environ_prefix=None
    )
    # if provided, treat as suspicious (possible privilege escalation attempt).
    PARTICIPANT_FORBIDDEN_PERMISSION_FIELDS = values.ListValue(
        ["hidden", "recorder", "agent"],
        environ_name="PARTICIPANT_FORBIDDEN_PERMISSION_FIELDS",
        environ_prefix=None,
    )
    # Recording settings
    RECORDING_ENABLE = values.BooleanValue(