diff options
Diffstat (limited to 'api4/team.go')
-rw-r--r-- | api4/team.go | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/api4/team.go b/api4/team.go index 2c229dce1..5a387ee35 100644 --- a/api4/team.go +++ b/api4/team.go @@ -137,7 +137,11 @@ func updateTeam(c *Context, w http.ResponseWriter, r *http.Request) { return } - team.Id = c.Params.TeamId + // The team being updated in the payload must be the same one as indicated in the URL. + if team.Id != c.Params.TeamId { + c.SetInvalidParam("team_id") + return + } if !c.App.SessionHasPermissionToTeam(c.Session, c.Params.TeamId, model.PERMISSION_MANAGE_TEAM) { c.SetPermissionError(model.PERMISSION_MANAGE_TEAM) |