From 462c6c50e5a20b5c214997759a4f8e1d93cd22ba Mon Sep 17 00:00:00 2001
From: lebaudantoine <lebaud.antoine131@gmail.com>
Date: Tue, 29 Apr 2025 16:22:45 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F(backend)=20disable=20Brow?=
 =?UTF-8?q?sableAPIRenderer=20to=20prevent=20information=20leakage?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remove BrowsableAPIRenderer from API options, restricting output to JSON
format only. Prevents leakage of sensitive information like resource IDs and
user identifiers that were previously exposed in renderer dropdown options.

Issue identified in #YWH-PGM14336-4 report.
These information was considered as a critical disclosure by hackers.
---
 src/backend/meet/settings.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/backend/meet/settings.py b/src/backend/meet/settings.py
index acd04609..2b58fb58 100755
--- a/src/backend/meet/settings.py
+++ b/src/backend/meet/settings.py
@@ -263,6 +263,9 @@ class Base(Configuration):
             "rest_framework.parsers.JSONParser",
             "nested_multipart_parser.drf.DrfNestedParser",
         ],
+        "DEFAULT_RENDERER_CLASSES": [
+            "rest_framework.renderers.JSONRenderer",
+        ],
         "EXCEPTION_HANDLER": "core.api.exception_handler",
         "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.PageNumberPagination",
         "PAGE_SIZE": 20,