From afbea72cc6f9afb99a2eaadd17594a825931a472 Mon Sep 17 00:00:00 2001
From: Ben Allfree <ben@benallfree.com>
Date: Thu, 11 Sep 2025 15:22:10 +0000
Subject: [PATCH] mothership: fix security issue allowing users to update their
 own user records

---
 .../pb_migrations/1753355624_updated_users.js    | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 packages/pockethost/src/mothership-app/pb_migrations/1753355624_updated_users.js

diff --git a/packages/pockethost/src/mothership-app/pb_migrations/1753355624_updated_users.js b/packages/pockethost/src/mothership-app/pb_migrations/1753355624_updated_users.js
new file mode 100644
index 00000000..5ad23a46
--- /dev/null
+++ b/packages/pockethost/src/mothership-app/pb_migrations/1753355624_updated_users.js
@@ -0,0 +1,16 @@
+/// <reference path="../pb_data/types.d.ts" />
+migrate((db) => {
+  const dao = new Dao(db)
+  const collection = dao.findCollectionByNameOrId("systemprofiles0")
+
+  collection.updateRule = null
+
+  return dao.saveCollection(collection)
+}, (db) => {
+  const dao = new Dao(db)
+  const collection = dao.findCollectionByNameOrId("systemprofiles0")
+
+  collection.updateRule = "id = @request.auth.id"
+
+  return dao.saveCollection(collection)
+})