From b0e27b38e2f336a2be4a546f912038bf7257cf19 Mon Sep 17 00:00:00 2001
From: lebaudantoine <lebaud.antoine131@gmail.com>
Date: Tue, 16 Dec 2025 23:33:40 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F(backend)=20avoid=20serial?=
 =?UTF-8?q?izing=20rooms's=20pin=20code=20when=20restricted?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Prevent anonymous users waiting in the lobby, or attacker
to discover the room pin code, that would allow them to join a room.
---
 src/backend/core/api/serializers.py                     | 2 ++
 src/backend/core/tests/rooms/test_api_rooms_retrieve.py | 6 ------
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/backend/core/api/serializers.py b/src/backend/core/api/serializers.py
index 3b0743e4..b1fd406b 100644
--- a/src/backend/core/api/serializers.py
+++ b/src/backend/core/api/serializers.py
@@ -159,6 +159,8 @@ class RoomSerializer(serializers.ModelSerializer):
                 configuration=configuration,
                 is_admin_or_owner=is_admin_or_owner,
             )
+        else:
+            del output["pin_code"]
 
         output["is_administrable"] = is_admin_or_owner
 
diff --git a/src/backend/core/tests/rooms/test_api_rooms_retrieve.py b/src/backend/core/tests/rooms/test_api_rooms_retrieve.py
index eb93ccf2..f317ddd8 100644
--- a/src/backend/core/tests/rooms/test_api_rooms_retrieve.py
+++ b/src/backend/core/tests/rooms/test_api_rooms_retrieve.py
@@ -32,7 +32,6 @@ def test_api_rooms_retrieve_anonymous_private_pk():
         "id": str(room.id),
         "is_administrable": False,
         "name": room.name,
-        "pin_code": room.pin_code,
         "slug": room.slug,
     }
 
@@ -52,7 +51,6 @@ def test_api_rooms_retrieve_anonymous_trusted_pk():
         "id": str(room.id),
         "is_administrable": False,
         "name": room.name,
-        "pin_code": room.pin_code,
         "slug": room.slug,
     }
 
@@ -71,7 +69,6 @@ def test_api_rooms_retrieve_anonymous_private_pk_no_dashes():
         "id": str(room.id),
         "is_administrable": False,
         "name": room.name,
-        "pin_code": room.pin_code,
         "slug": room.slug,
     }
 
@@ -88,7 +85,6 @@ def test_api_rooms_retrieve_anonymous_private_slug():
         "id": str(room.id),
         "is_administrable": False,
         "name": room.name,
-        "pin_code": room.pin_code,
         "slug": room.slug,
     }
 
@@ -105,7 +101,6 @@ def test_api_rooms_retrieve_anonymous_private_slug_not_normalized():
         "id": str(room.id),
         "is_administrable": False,
         "name": room.name,
-        "pin_code": room.pin_code,
         "slug": room.slug,
     }
 
@@ -347,7 +342,6 @@ def test_api_rooms_retrieve_authenticated():
         "id": str(room.id),
         "is_administrable": False,
         "name": room.name,
-        "pin_code": room.pin_code,
         "slug": room.slug,
     }