Fix bug causing 403 responses when plugin data is not set (#365)

barborico · web-flow · commit 2f3239733e54 · 2026-01-22T11:10:38.000-08:00
diff --git a/api/views/resources/app.py b/api/views/resources/app.py
@@ -101,7 +101,7 @@ def put(self, app: App) -> ResponseReturnValue:
         # privilege escalation in the managed apps.
         if (
             app_changes.app_group_lifecycle_plugin != app.app_group_lifecycle_plugin
-            or app_changes.plugin_data != app.plugin_data
+            or (app_changes.plugin_data or {}) != app.plugin_data
         ) and not AuthorizationHelpers.is_access_admin():
             abort(
                 403,
diff --git a/api/views/resources/group.py b/api/views/resources/group.py
@@ -122,7 +122,7 @@ def put(self, group: OktaGroup) -> ResponseReturnValue:
 
         # Enforce stricter authorization for plugin configuration changes to prevent
         # privilege escalation in the managed apps.
-        if group_changes.plugin_data != group.plugin_data and not (
+        if (group_changes.plugin_data or {}) != group.plugin_data and not (
             AuthorizationHelpers.is_access_admin()
             or (type(group) is AppGroup and AuthorizationHelpers.is_app_owner_group_owner(app_group=group))
         ):
