Skip to content

Events : .patch("/events/{event_id}", status_code=204) logic error #774

New issue
New issue
Open
Bug
Open
Events : .patch("/events/{event_id}", status_code=204) logic error#774
Bug
Assignees
martastain
Labels
communityIssues and PRs coming from the community memberstype: bugSomething isn't working
@muchenhen

Description

@muchenhen
muchenhen
opened on Oct 20, 2025

Story

Non-admin users are unable to update their own events

There is a logical flaw in the event update API endpoint, PATCH /events/{event_id}, which prevents non-admin (is_manager=False) users from making any updates to events they created themselves.

The permission check logic in the code incorrectly throws a ForbiddenException if the creator of the event is the same as the current user making the request. This is the exact opposite of the expected business logic, where a user should be able to manage their own resources.

This bug prevents regular users from editing or modifying events they have created, severely impacting the system's usability.

Image

We have a large number of action.launcher topic events that cannot be updated, only admin's event can be finished.

To reproduce

Steps to reproduce the behavior:

  1. Log in to the system with a non-admin account (e.g., username test_user).
  2. Using the test_user account, create a new event and note its event_id.
  3. With the same test_user account, send a PATCH request to the /events/{event_id} endpoint to modify any field (e.g., summary or description).
  4. Observe that the API returns a 403 Forbidden error with the message "Not allowed to update this event".

Expected behavior

When a non-admin user attempts to update an event they created, the operation should be permitted (unless it violates other specific permission rules).

The correct and expected behavior is:

  1. The API request should be processed successfully.
  2. The API should return a 204 No Content status code, indicating the resource was updated successfully.
  3. The corresponding event fields should be updated in the database.

Users should be prevented from updating events created by other users (if they lack admin privileges), not their own.

Environment

  • Server version: latest
  • Server host OS: linux
  • Browser: N/A (API Bug)
  • Client version:1.3.3

Additional context

The root cause of the problem is in the following code block within the update_existing_event function:

    if not user.is_manager:
        if event_user == user.name:
            # This line is incorrect, as it forbids a user from updating their own event.
            raise ForbiddenException("Not allowed to update this event")
        if payload.user and payload.user != user.name:
            raise ForbiddenException("Not allowed to change user of this event")

The most likely fix is to change the condition if event_user == user.name: to if event_user != user.name:. This would ensure that users are only prevented from updating events belonging to others, not their own.

Metadata

Metadata

Assignees

Labels

communityIssues and PRs coming from the community memberstype: bugSomething isn't working

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions