From 422f838899788a132af8fd0f8faff0cb7ee9d80d Mon Sep 17 00:00:00 2001 From: lebaudantoine Date: Tue, 29 Apr 2025 16:45:55 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F(backend)=20remove=20acces?= =?UTF-8?q?ses=20list=20from=20room=20serializer=20for=20non-admins?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict access to room user permissions data by excluding this information from room serializer response for non-admin/owner users. Previously all members could see complete access lists. Change enforces stricter information access control based on user role. Spotted in #YWH-PGM14336-5. --- src/backend/core/api/serializers.py | 2 +- .../tests/rooms/test_api_rooms_retrieve.py | 42 +++---------------- 2 files changed, 6 insertions(+), 38 deletions(-) diff --git a/src/backend/core/api/serializers.py b/src/backend/core/api/serializers.py index d07aba90..4f57ed2d 100644 --- a/src/backend/core/api/serializers.py +++ b/src/backend/core/api/serializers.py @@ -120,7 +120,7 @@ class RoomSerializer(serializers.ModelSerializer): role = instance.get_role(request.user) is_admin = models.RoleChoices.check_administrator_role(role) - if role is not None: + if is_admin: access_serializer = NestedResourceAccessSerializer( instance.accesses.select_related("resource", "user").all(), context=self.context, diff --git a/src/backend/core/tests/rooms/test_api_rooms_retrieve.py b/src/backend/core/tests/rooms/test_api_rooms_retrieve.py index ad5a53ad..1788f641 100644 --- a/src/backend/core/tests/rooms/test_api_rooms_retrieve.py +++ b/src/backend/core/tests/rooms/test_api_rooms_retrieve.py @@ -338,22 +338,20 @@ def test_api_rooms_retrieve_authenticated(): ) def test_api_rooms_retrieve_members(mock_token, django_assert_num_queries, settings): """ - Users who are members of a room should be allowed to see related users. + Users who are members of a room should not be allowed to see related users. """ settings.TIME_ZONE = "UTC" user = UserFactory() other_user = UserFactory() room = RoomFactory() - user_access = UserResourceAccessFactory(resource=room, user=user, role="member") - other_user_access = UserResourceAccessFactory( - resource=room, user=other_user, role="member" - ) + UserResourceAccessFactory(resource=room, user=user, role="member") + UserResourceAccessFactory(resource=room, user=other_user, role="member") client = APIClient() client.force_login(user) - with django_assert_num_queries(4): + with django_assert_num_queries(3): response = client.get( f"/api/v1.0/rooms/{room.id!s}/", ) @@ -361,37 +359,7 @@ def test_api_rooms_retrieve_members(mock_token, django_assert_num_queries, setti assert response.status_code == 200 content_dict = response.json() - assert sorted(content_dict.pop("accesses"), key=lambda x: x["id"]) == sorted( - [ - { - "id": str(user_access.id), - "user": { - "id": str(user_access.user.id), - "email": user_access.user.email, - "full_name": user_access.user.full_name, - "short_name": user_access.user.short_name, - "timezone": "UTC", - "language": user_access.user.language, - }, - "resource": str(room.id), - "role": user_access.role, - }, - { - "id": str(other_user_access.id), - "user": { - "id": str(other_user_access.user.id), - "email": other_user_access.user.email, - "full_name": other_user_access.user.full_name, - "short_name": other_user_access.user.short_name, - "timezone": "UTC", - "language": other_user_access.user.language, - }, - "resource": str(room.id), - "role": other_user_access.role, - }, - ], - key=lambda x: x["id"], - ) + assert "accesses" not in content_dict expected_name = str(room.id) assert content_dict == {