🔒️(backend) limit user listing endpoint with security flag

Deactivate inherited user listing capability that allows authenticated users to retrieve all application users in JSON format. This potentially unsecure endpoint exposes user database to scraping and isn't currently used in the application. Implement security flag to disable access until properly refactored for upcoming invitation feature. Will revisit and adapt endpoint behavior when developing user invitation functionality.
2025-03-04 23:40:33 +01:00
parent fac9435bc7
commit e20acfa5a9
3 changed files with 31 additions and 6 deletions
--- a/src/backend/core/api/viewsets.py
+++ b/src/backend/core/api/viewsets.py
@@ -150,9 +150,8 @@ class UserViewSet(
        queryset = self.queryset

        if self.action == "list":
-            # Exclude all users already in the given document
-            if document_id := self.request.GET.get("document_id", ""):
-                queryset = queryset.exclude(documentaccess__document_id=document_id)
+            if not settings.ALLOW_UNSECURE_USER_LISTING:
+                return models.User.objects.none()

            # Filter users by email similarity
            if query := self.request.GET.get("q", ""):
--- a/src/backend/core/tests/test_api_users.py
+++ b/src/backend/core/tests/test_api_users.py
@@ -22,10 +22,32 @@ def test_api_users_list_anonymous():
    }


-def test_api_users_list_authenticated():
+def test_api_users_list_authenticated_secure(settings):
    """
-    Authenticated users should be able to list users.
+    Authenticated users should not be able to list any user
+    when ALLOW_UNSECURE_USER_LISTING is False.
    """
+    settings.ALLOW_UNSECURE_USER_LISTING = False
+    user = factories.UserFactory()
+
+    client = APIClient()
+    client.force_login(user)
+
+    factories.UserFactory.create_batch(2)
+    response = client.get(
+        "/api/v1.0/users/",
+    )
+    assert response.status_code == 200
+    content = response.json()
+    assert len(content["results"]) == 0
+
+
+def test_api_users_list_authenticated_unsecure(settings):
+    """
+    Authenticated users should be able to list all users
+    when ALLOW_UNSECURE_USER_LISTING is True.
+    """
+    settings.ALLOW_UNSECURE_USER_LISTING = True
    user = factories.UserFactory()

    client = APIClient()
@@ -40,11 +62,12 @@ def test_api_users_list_authenticated():
    assert len(content["results"]) == 3


-def test_api_users_list_query_email():
+def test_api_users_list_query_email(settings):
    """
    Authenticated users should be able to list users
    and filter by email.
    """
+    settings.ALLOW_UNSECURE_USER_LISTING = True
    user = factories.UserFactory()

    client = APIClient()
--- a/src/backend/meet/settings.py
+++ b/src/backend/meet/settings.py
@@ -73,6 +73,9 @@ class Base(Configuration):
    ALLOWED_HOSTS = values.ListValue([])
    SECRET_KEY = values.Value(None)
    SILENCED_SYSTEM_CHECKS = values.ListValue([])
+    ALLOW_UNSECURE_USER_LISTING = values.BooleanValue(
+        False, environ_name="ALLOW_UNSECURE_USER_LISTING", environ_prefix=None
+    )

    # Application definition
    ROOT_URLCONF = "meet.urls"