From eba926dea4f16d4bb4c548111471ab205ef7ccd0 Mon Sep 17 00:00:00 2001
From: Samuel Paccoud - DINUM <samuel.paccoud@mail.numerique.gouv.fr>
Date: Wed, 12 Feb 2025 23:48:01 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F(backend)=20require=20at?=
 =?UTF-8?q?=20least=205=20characters=20to=20search=20for=20users?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Listing users is made a little to easy for authenticated users.
---
 CHANGELOG.md                             |  2 ++
 src/backend/core/api/viewsets.py         |  4 ++--
 src/backend/core/tests/test_api_users.py | 28 ++++++++++++++++++++++--
 3 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 808ceb2b..3fa4b68e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,8 @@ and this project adheres to
 ## Fixed
 
 - 🐛(back) allow only images to be used with the cors-proxy #781
+- 🐛(backend) stop returning inactive users on the list endpoint #636
+- 🔒️(backend) require at least 5 characters to search for users #636
 
 
 ## [2.5.0] - 2025-03-18
diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py
index 5f8d87f2..1b58f813 100644
--- a/src/backend/core/api/viewsets.py
+++ b/src/backend/core/api/viewsets.py
@@ -160,8 +160,8 @@ class UserViewSet(
         if document_id := self.request.GET.get("document_id", ""):
             queryset = queryset.exclude(documentaccess__document_id=document_id)
 
-        if not (query := self.request.GET.get("q", "")):
-            return queryset
+        if not (query := self.request.GET.get("q", "")) or len(query) < 5:
+            return queryset.none()
 
         # For emails, match emails by Levenstein distance to prevent typing errors
         if "@" in query:
diff --git a/src/backend/core/tests/test_api_users.py b/src/backend/core/tests/test_api_users.py
index d99e0406..d3e6ed48 100644
--- a/src/backend/core/tests/test_api_users.py
+++ b/src/backend/core/tests/test_api_users.py
@@ -24,7 +24,7 @@ def test_api_users_list_anonymous():
 
 def test_api_users_list_authenticated():
     """
-    Authenticated users should be able to list users.
+    Authenticated users should not be able to list users without a query.
     """
     user = factories.UserFactory()
 
@@ -37,7 +37,7 @@ def test_api_users_list_authenticated():
     )
     assert response.status_code == 200
     content = response.json()
-    assert len(content["results"]) == 3
+    assert content["results"] == []
 
 
 def test_api_users_list_query_email():
@@ -130,6 +130,30 @@ def test_api_users_list_query_email_exclude_doc_user():
     assert user_ids == [str(nicole_fool.id)]
 
 
+def test_api_users_list_query_short_queries():
+    """
+    Queries shorter than 5 characters should return an empty result set.
+    """
+    user = factories.UserFactory()
+    client = APIClient()
+    client.force_login(user)
+
+    factories.UserFactory(email="john.doe@example.com")
+    factories.UserFactory(email="john.lennon@example.com")
+
+    response = client.get("/api/v1.0/users/?q=jo")
+    assert response.status_code == 200
+    assert response.json()["results"] == []
+
+    response = client.get("/api/v1.0/users/?q=john")
+    assert response.status_code == 200
+    assert response.json()["results"] == []
+
+    response = client.get("/api/v1.0/users/?q=john.")
+    assert response.status_code == 200
+    assert len(response.json()["results"]) == 2
+
+
 def test_api_users_retrieve_me_anonymous():
     """Anonymous users should not be allowed to list users."""
     factories.UserFactory.create_batch(2)