From 42a05da5c09c8e5fcf28f787c0060390e01e255c Mon Sep 17 00:00:00 2001 From: lebaudantoine Date: Wed, 4 Feb 2026 18:54:18 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F(admin)=20make=20recording?= =?UTF-8?q?=20fields=20read-only=20for=20security=20and=20performance?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These values should not be updated from the admin interface. Allowing changes to a recording’s associated room could lead to data leaks (e.g., notifications being resent to the wrong users after a malicious modification). Also remove the room select field, which rendered a dropdown with ~150k options, flooding the DOM and severely degrading page performance. --- src/backend/core/admin.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/backend/core/admin.py b/src/backend/core/admin.py index d66c1c2c..694344c1 100644 --- a/src/backend/core/admin.py +++ b/src/backend/core/admin.py @@ -213,7 +213,16 @@ class RecordingAdmin(admin.ModelAdmin): ) list_filter = ["created_at"] list_select_related = ("room",) - readonly_fields = ["id", "created_at", "updated_at"] + readonly_fields = ( + "id", + "created_at", + "options", + "mode", + "room", + "status", + "updated_at", + "worker_id", + ) actions = [resend_notification] def get_queryset(self, request):