Background
Follow-up from #574, which fixed the case where calling /user_settings with no avatar payload would null out the user's stored avatar. The fix guards the call so UserAvatar.update_or_create(...) is only invoked when at least one of avatar_image_name, avatar_character_color, avatar_background_color is truthy.
The remaining concern
UserAvatar.update_or_create (zeeguu/core/model/user_avatar.py) unconditionally assigns all three fields:
if user_avatar:
user_avatar.image_name = image_name
user_avatar.character_color = character_color
user_avatar.background_color = background_colorSo if a client posts to /user_settings with only one of the three avatar fields (e.g. only avatar_character_color), the new guard in #574 lets the call through, and the other two columns get overwritten with NULL.
Question
- Can any current client (web, iOS, Android, browser extension) actually trigger a partial avatar payload? i.e. is there a UI flow that submits one or two of the avatar fields without the others?
- If yes, this is a real bug and we should patch
update_or_create to only assign non-None fields (or require all three together at the endpoint and 400 otherwise).
- If no clients do this today, we should still harden the model so a future caller can't trip it.
Suggested fix (if confirmed)
if user_avatar:
if image_name is not None:
user_avatar.image_name = image_name
if character_color is not None:
user_avatar.character_color = character_color
if background_color is not None:
user_avatar.background_color = background_colorRelated: there is currently no way to clear an avatar through this endpoint (the truthiness gate in #574 blocks an all-null payload). Likely fine since there's no "delete avatar" UI, but worth deciding explicitly.
Background
Follow-up from #574, which fixed the case where calling
/user_settingswith no avatar payload would null out the user's stored avatar. The fix guards the call soUserAvatar.update_or_create(...)is only invoked when at least one ofavatar_image_name,avatar_character_color,avatar_background_coloris truthy.The remaining concern
UserAvatar.update_or_create(zeeguu/core/model/user_avatar.py) unconditionally assigns all three fields:So if a client posts to
/user_settingswith only one of the three avatar fields (e.g. onlyavatar_character_color), the new guard in #574 lets the call through, and the other two columns get overwritten withNULL.Question
update_or_createto only assign non-Nonefields (or require all three together at the endpoint and 400 otherwise).Suggested fix (if confirmed)
Related: there is currently no way to clear an avatar through this endpoint (the truthiness gate in #574 blocks an all-null payload). Likely fine since there's no "delete avatar" UI, but worth deciding explicitly.