🔒️(backend) require at least 5 characters to search for users
Listing users is made a little to easy for authenticated users.
This commit is contained in:
Samuel Paccoud - DINUM
committed by
Manuel Raynaud
Manuel Raynaud
parent
3839a2e8b1
commit
eba926dea4
@@ -19,6 +19,8 @@ and this project adheres to
|
|||||||
## Fixed
|
## Fixed
|
||||||
|
|
||||||
- 🐛(back) allow only images to be used with the cors-proxy #781
|
- 🐛(back) allow only images to be used with the cors-proxy #781
|
||||||
|
- 🐛(backend) stop returning inactive users on the list endpoint #636
|
||||||
|
- 🔒️(backend) require at least 5 characters to search for users #636
|
||||||
|
|
||||||
|
|
||||||
## [2.5.0] - 2025-03-18
|
## [2.5.0] - 2025-03-18
|
||||||
|
|||||||
@@ -160,8 +160,8 @@ class UserViewSet(
|
|||||||
if document_id := self.request.GET.get("document_id", ""):
|
if document_id := self.request.GET.get("document_id", ""):
|
||||||
queryset = queryset.exclude(documentaccess__document_id=document_id)
|
queryset = queryset.exclude(documentaccess__document_id=document_id)
|
||||||
|
|
||||||
if not (query := self.request.GET.get("q", "")):
|
if not (query := self.request.GET.get("q", "")) or len(query) < 5:
|
||||||
return queryset
|
return queryset.none()
|
||||||
|
|
||||||
# For emails, match emails by Levenstein distance to prevent typing errors
|
# For emails, match emails by Levenstein distance to prevent typing errors
|
||||||
if "@" in query:
|
if "@" in query:
|
||||||
|
|||||||
@@ -24,7 +24,7 @@ def test_api_users_list_anonymous():
|
|||||||
|
|
||||||
def test_api_users_list_authenticated():
|
def test_api_users_list_authenticated():
|
||||||
"""
|
"""
|
||||||
Authenticated users should be able to list users.
|
Authenticated users should not be able to list users without a query.
|
||||||
"""
|
"""
|
||||||
user = factories.UserFactory()
|
user = factories.UserFactory()
|
||||||
|
|
||||||
@@ -37,7 +37,7 @@ def test_api_users_list_authenticated():
|
|||||||
)
|
)
|
||||||
assert response.status_code == 200
|
assert response.status_code == 200
|
||||||
content = response.json()
|
content = response.json()
|
||||||
assert len(content["results"]) == 3
|
assert content["results"] == []
|
||||||
|
|
||||||
|
|
||||||
def test_api_users_list_query_email():
|
def test_api_users_list_query_email():
|
||||||
@@ -130,6 +130,30 @@ def test_api_users_list_query_email_exclude_doc_user():
|
|||||||
assert user_ids == [str(nicole_fool.id)]
|
assert user_ids == [str(nicole_fool.id)]
|
||||||
|
|
||||||
|
|
||||||
|
def test_api_users_list_query_short_queries():
|
||||||
|
"""
|
||||||
|
Queries shorter than 5 characters should return an empty result set.
|
||||||
|
"""
|
||||||
|
user = factories.UserFactory()
|
||||||
|
client = APIClient()
|
||||||
|
client.force_login(user)
|
||||||
|
|
||||||
|
factories.UserFactory(email="john.doe@example.com")
|
||||||
|
factories.UserFactory(email="john.lennon@example.com")
|
||||||
|
|
||||||
|
response = client.get("/api/v1.0/users/?q=jo")
|
||||||
|
assert response.status_code == 200
|
||||||
|
assert response.json()["results"] == []
|
||||||
|
|
||||||
|
response = client.get("/api/v1.0/users/?q=john")
|
||||||
|
assert response.status_code == 200
|
||||||
|
assert response.json()["results"] == []
|
||||||
|
|
||||||
|
response = client.get("/api/v1.0/users/?q=john.")
|
||||||
|
assert response.status_code == 200
|
||||||
|
assert len(response.json()["results"]) == 2
|
||||||
|
|
||||||
|
|
||||||
def test_api_users_retrieve_me_anonymous():
|
def test_api_users_retrieve_me_anonymous():
|
||||||
"""Anonymous users should not be allowed to list users."""
|
"""Anonymous users should not be allowed to list users."""
|
||||||
factories.UserFactory.create_batch(2)
|
factories.UserFactory.create_batch(2)
|
||||||
|
|||||||
Reference in New Issue
Block a user