🔐(backend) enforce object-level permission checks on room endpoint
Apply strict permission validation on the external API room endpoint to enforce the principle of least privilege. Unlike the default API (which allows unauthenticated room retrieval and filters access in the serializer), the external API now only exposes rooms to users with explicit permissions. This change fixes a security issue. Slug-based room retrieval, as supported by the default API, is not introduced here but could be added later if needed. Retrieving rooms by UUID is retained, as guessing a UUID is significantly harder than a slug. A dedicated permission class was created to avoid coupling permissions between the default and external APIs. The external API enforces stricter access rules. Access policies may be revisited based on user and integrator feedback. The external API currently has no production usage.
This commit is contained in:
lebaudantoine
committed by
aleb_the_flash
aleb_the_flash
parent
5ba1657e00
commit
f8c6da8021
@@ -17,6 +17,10 @@ and this project adheres to
|
||||
- ⚡️(backend) enhance django admin's loading performance #954
|
||||
- 🌐(frontend) add missing DE translation for accessibility settings
|
||||
|
||||
### Fixed
|
||||
|
||||
- 🔐(backend) enforce object-level permission checks on room endpoint #959
|
||||
|
||||
## [1.5.0] - 2026-01-28
|
||||
|
||||
### Changed
|
||||
|
||||
Reference in New Issue
Block a user