Skip to content
Snippets Groups Projects
Select Git revision
  • main default protected
  • fix/media_id_source protected
  • rename-playlist-playlistentry
  • feat/site-data protected
  • kmohrf/program-calendar-populate-filter
  • feat/249-episodes protected
  • add-playlists
  • fix-push-latest-with-tag protected
  • ci-trigger-aura-tests
  • kmohrf/virtual-timeslot-fixes
  • kmohrf/fix-configuration-error-api-responses
  • kmohrf/id-filters
  • refactor-playout-endpoint-210
  • fix-aura-sysuser protected
  • feature/extended-database-env-configuration protected
  • 1.0.0-alpha6 protected
  • 1.0.0-alpha5 protected
  • 1.0.0-alpha4 protected
  • 1.0.0-alpha3 protected
  • 1.0.0-alpha2 protected
  • 1.0.0-alpha1 protected
21 results
Blame Permalink
  • Konrad Mohrfeldt's avatar
    5bc1f22b
    fix: remove superfluous retrieve/update actions for APIUserViewSet · 5bc1f22b
    Konrad Mohrfeldt authored 
    The retrieve and update actions can be removed because the get_queryset
method already ensures that the user has only access to their own user
object (or all user objects in case of superusers).

Sending 401 responses for unauthorized requests may also be considered
leaky, because it exposes that these objects exist instead of returning
a 404 that simply states that no object with that primary key can be
found.
    5bc1f22b
    History
    fix: remove superfluous retrieve/update actions for APIUserViewSet
    Konrad Mohrfeldt authored 
    The retrieve and update actions can be removed because the get_queryset
method already ensures that the user has only access to their own user
object (or all user objects in case of superusers).

Sending 401 responses for unauthorized requests may also be considered
leaky, because it exposes that these objects exist instead of returning
a 404 that simply states that no object with that primary key can be
found.