From d53d5266732630de6a430797fbd9b6fc0136c93d Mon Sep 17 00:00:00 2001
From: Pascal Vizeli <pvizeli@syshack.ch>
Date: Mon, 14 Jun 2021 10:37:59 +0200
Subject: [PATCH] Add-on: Block update itself (#2956)

* Add-on: Block update itself

* Better logging

* Update
---
 supervisor/api/store.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/supervisor/api/store.py b/supervisor/api/store.py
index d231833ea..a4740d96f 100644
--- a/supervisor/api/store.py
+++ b/supervisor/api/store.py
@@ -27,9 +27,10 @@ from ..const import (
     ATTR_URL,
     ATTR_VERSION,
     ATTR_VERSION_LATEST,
+    REQUEST_FROM,
 )
 from ..coresys import CoreSysAttributes
-from ..exceptions import APIError
+from ..exceptions import APIError, APIForbidden
 from ..store.addon import AddonStore
 from ..store.repository import Repository
 
@@ -136,6 +137,8 @@ class APIStore(CoreSysAttributes):
     def addons_addon_update(self, request: web.Request) -> Awaitable[None]:
         """Update add-on."""
         addon = self._extract_addon(request, installed=True)
+        if addon == request.get(REQUEST_FROM):
+            raise APIForbidden(f"Add-on {addon.slug} can't update itself!")
         return asyncio.shield(addon.update())
 
     @api_process