Internal User Endpoint - vulnerability fix + response type fix (#8228)

* fix(key_management_endpoints.py): fix vulnerability where a user could update another user's keys Resolves https://github.com/BerriAI/litellm/issues/8031 * test(key_management_endpoints.py): return consistent 403 forbidden error when modifying key that doesn't belong to user * fix(internal_user_endpoints.py): return model max budget in internal user create response Fixes https://github.com/BerriAI/litellm/issues/7047 * test: fix test * test: update test to handle gemini token counter change * fix(factory.py): fix bedrock http:// handling * docs: fix typo in lm_studio.md (#8222) * test: fix testing * test: fix test --------- Co-authored-by: foreign-sub <51928805+foreign-sub@users.noreply.github.com>
2025-04-25 10:44:24 +00:00 · 2025-02-04 06:41:14 -08:00 · 2025-02-04 06:41:14 -08:00 · df93debbc7
commit df93debbc7
parent f6bd48a1c5
7 changed files with 240 additions and 28 deletions
--- a/litellm/proxy/management_endpoints/internal_user_endpoints.py
+++ b/litellm/proxy/management_endpoints/internal_user_endpoints.py
@ -142,7 +142,6 @@ async def new_user(
    data_json = data.json()  # type: ignore
    data_json = _update_internal_new_user_params(data_json, data)
    response = await generate_key_helper_fn(request_type="user", **data_json)
-
    # Admin UI Logic
    # Add User to Team and Organization
    # if team_id passed add this user to the team
@ -220,6 +219,7 @@ async def new_user(
        tpm_limit=response.get("tpm_limit", None),
        rpm_limit=response.get("rpm_limit", None),
        budget_duration=response.get("budget_duration", None),
+        model_max_budget=response.get("model_max_budget", None),
    )