♻️(backend) extract forbidden permission fields from the serializer

These fields previously triggered a suspicious operation exception
when passed to the API.

Make the list configurable so the serializer behavior can be
adjusted without requiring a new release.

src/backend/core/api/serializers.py

@@ -2,6 +2,7 @@
 
 # pylint: disable=abstract-method,no-name-in-module
 
+from django.conf import settings
 from django.core.exceptions import SuspiciousOperation
 from django.utils.translation import gettext_lazy as _
 
@@ -318,7 +319,7 @@ class UpdateParticipantSerializer(BaseParticipantsManagementSerializer):
 
         suspicious_fields = [
             field
-            for field in ("hidden", "recorder", "agent")
+            for field in settings.PARTICIPANT_FORBIDDEN_PERMISSION_FIELDS
             if getattr(permission, field) is not None
         ]
         if suspicious_fields:

src/backend/meet/settings.py

@@ -596,6 +596,12 @@ class Base(Configuration):
     ALLOW_UNREGISTERED_ROOMS = values.BooleanValue(
         True, environ_name="ALLOW_UNREGISTERED_ROOMS", environ_prefix=None
     )
+    # if provided, treat as suspicious (possible privilege escalation attempt).
+    PARTICIPANT_FORBIDDEN_PERMISSION_FIELDS = values.ListValue(
+        ["hidden", "recorder", "agent"],
+        environ_name="PARTICIPANT_FORBIDDEN_PERMISSION_FIELDS",
+        environ_prefix=None,
+    )
 
     # Recording settings
     RECORDING_ENABLE = values.BooleanValue(