🔒️(backend) require at least 5 characters to search for users

Listing users is made a little to easy for authenticated users.
2025-02-12 23:48:01 +01:00
parent 3839a2e8b1
commit eba926dea4
3 changed files with 30 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,8 @@ and this project adheres to
 ## Fixed

 - 🐛(back) allow only images to be used with the cors-proxy #781
+- 🐛(backend) stop returning inactive users on the list endpoint #636
+- 🔒️(backend) require at least 5 characters to search for users #636


 ## [2.5.0] - 2025-03-18
--- a/src/backend/core/api/viewsets.py
+++ b/src/backend/core/api/viewsets.py
@@ -160,8 +160,8 @@ class UserViewSet(
        if document_id := self.request.GET.get("document_id", ""):
            queryset = queryset.exclude(documentaccess__document_id=document_id)

-        if not (query := self.request.GET.get("q", "")):
-            return queryset
+        if not (query := self.request.GET.get("q", "")) or len(query) < 5:
+            return queryset.none()

        # For emails, match emails by Levenstein distance to prevent typing errors
        if "@" in query:
--- a/src/backend/core/tests/test_api_users.py
+++ b/src/backend/core/tests/test_api_users.py
@@ -24,7 +24,7 @@ def test_api_users_list_anonymous():

 def test_api_users_list_authenticated():
    """
-    Authenticated users should be able to list users.
+    Authenticated users should not be able to list users without a query.
    """
    user = factories.UserFactory()

@@ -37,7 +37,7 @@ def test_api_users_list_authenticated():
    )
    assert response.status_code == 200
    content = response.json()
-    assert len(content["results"]) == 3
+    assert content["results"] == []


 def test_api_users_list_query_email():
@@ -130,6 +130,30 @@ def test_api_users_list_query_email_exclude_doc_user():
    assert user_ids == [str(nicole_fool.id)]


+def test_api_users_list_query_short_queries():
+    """
+    Queries shorter than 5 characters should return an empty result set.
+    """
+    user = factories.UserFactory()
+    client = APIClient()
+    client.force_login(user)
+
+    factories.UserFactory(email="john.doe@example.com")
+    factories.UserFactory(email="john.lennon@example.com")
+
+    response = client.get("/api/v1.0/users/?q=jo")
+    assert response.status_code == 200
+    assert response.json()["results"] == []
+
+    response = client.get("/api/v1.0/users/?q=john")
+    assert response.status_code == 200
+    assert response.json()["results"] == []
+
+    response = client.get("/api/v1.0/users/?q=john.")
+    assert response.status_code == 200
+    assert len(response.json()["results"]) == 2
+
+
 def test_api_users_retrieve_me_anonymous():
    """Anonymous users should not be allowed to list users."""
    factories.UserFactory.create_batch(2)