From 889291c7f3c1962e848ea1e114c00ac997b7ad22 Mon Sep 17 00:00:00 2001
From: Quentin BEY <quentin.bey@mail.numerique.gouv.fr>
Date: Wed, 30 Apr 2025 15:34:48 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F(drf)=20disable=20browsabl?=
 =?UTF-8?q?e=20HTML=20API=20renderer?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `BrowsableAPIRenderer` generates a form to test POST/PUT/... actions
and fill the FK fields with unfiltered data. This issue has been spoted
on visio and fixed https://github.com/suitenumerique/meet/pull/508
---
 CHANGELOG.md                                   | 4 ++++
 src/backend/mailbox_oauth2/tests/test_views.py | 6 +++---
 src/backend/people/settings.py                 | 6 ++++++
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 75c44b9..d7dcee0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,10 @@ and this project adheres to
 
 ## [Unreleased]
 
+### Fixed
+
+- 🔒️(drf) disable browsable HTML API renderer #897
+
 ### Added
 
 - 🔧(sentry) add Celery beat task integration #892
diff --git a/src/backend/mailbox_oauth2/tests/test_views.py b/src/backend/mailbox_oauth2/tests/test_views.py
index 9000ddd..e4f848e 100644
--- a/src/backend/mailbox_oauth2/tests/test_views.py
+++ b/src/backend/mailbox_oauth2/tests/test_views.py
@@ -20,9 +20,9 @@ def test_login_view_options(client):
     assert response.status_code == 200
     assert response.headers == {
         "Content-Type": "application/json",
-        "Vary": "Accept, Authorization, origin, Accept-Language, Cookie",
+        "Vary": "Authorization, origin, Accept-Language, Cookie",
         "Allow": "POST, OPTIONS",
-        "Content-Length": "209",
+        "Content-Length": "197",
         "X-Frame-Options": "DENY",
         "Content-Language": "en-us",
         "X-Content-Type-Options": "nosniff",
@@ -52,7 +52,7 @@ def test_login_view_authorize(client):
 
     assert response.headers == {
         "Content-Type": "application/json",
-        "Vary": "Accept, Authorization, Cookie, origin, Accept-Language",
+        "Vary": "Authorization, Cookie, origin, Accept-Language",
         "Allow": "POST, OPTIONS",
         "Content-Length": "36",
         "X-Frame-Options": "DENY",
diff --git a/src/backend/people/settings.py b/src/backend/people/settings.py
index b1e5737..ede7af0 100755
--- a/src/backend/people/settings.py
+++ b/src/backend/people/settings.py
@@ -276,6 +276,12 @@ class Base(Configuration):
             "nested_multipart_parser.drf.DrfNestedParser",
         ],
         "DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.IsAuthenticated",),
+        "DEFAULT_RENDERER_CLASSES": [
+            # 🔒️ Disable BrowsableAPIRenderer which provides forms allowing a user to
+            # see all the data in the database (ie a serializer with a ForeignKey field
+            # will generate a form with a field with all possible values of the FK).
+            "rest_framework.renderers.JSONRenderer",
+        ],
         "EXCEPTION_HANDLER": "core.api.exception_handler",
         "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.PageNumberPagination",
         "PAGE_SIZE": 20,