From 6ee6a4e87b135c447d046595a2012304d02f7f14 Mon Sep 17 00:00:00 2001
From: Konrad Mohrfeldt <konrad.mohrfeldt@farbdev.org>
Date: Tue, 22 Mar 2022 14:17:19 +0100
Subject: [PATCH] fix: remove superfluous retrieve/update actions for
 APIUserViewSet

The retrieve and update actions can be removed because the get_queryset
method already ensures that the user has only access to their own user
object (or all user objects in case of superusers).

Sending 401 responses for unauthorized requests may also be considered
leaky, because it exposes that these objects exist instead of returning
a 404 that simply states that no object with that primary key can be
found.
---
 program/views.py | 39 +--------------------------------------
 1 file changed, 1 insertion(+), 38 deletions(-)

diff --git a/program/views.py b/program/views.py
index b82d8312..d1ec8421 100644
--- a/program/views.py
+++ b/program/views.py
@@ -193,6 +193,7 @@ def json_playout(request):
 
 
 class APIUserViewSet(
+    DisabledObjectPermissionCheckMixin,
     mixins.CreateModelMixin,
     mixins.RetrieveModelMixin,
     mixins.UpdateModelMixin,
@@ -218,18 +219,6 @@ class APIUserViewSet(
 
         return queryset
 
-    def retrieve(self, request, *args, **kwargs):
-        """Returns a single user."""
-        pk = get_values(self.kwargs, "pk")
-
-        # Common users only see themselves
-        if not request.user.is_superuser and pk != request.user.id:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
-        user = get_object_or_404(User, pk=pk)
-        serializer = UserSerializer(user)
-        return Response(serializer.data)
-
     def create(self, request, *args, **kwargs):
         """
         Create a User.
@@ -248,32 +237,6 @@ class APIUserViewSet(
 
         return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
-    def update(self, request, *args, **kwargs):
-        """
-        Updates the user’s data.
-
-        Non-superusers may not be able to edit all of the available data.
-        """
-        pk = get_values(self.kwargs, "pk")
-
-        serializer = UserSerializer(data=request.data)
-        # Common users may only edit themselves
-        if not request.user.is_superuser and pk != request.user.id:
-            return Response(
-                serializer.initial_data, status=status.HTTP_401_UNAUTHORIZED
-            )
-
-        user = get_object_or_404(User, pk=pk)
-        serializer = UserSerializer(
-            user, data=request.data, context={"user": request.user}
-        )
-
-        if serializer.is_valid():
-            serializer.save()
-            return Response(serializer.data)
-
-        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
-
 
 class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
     """
-- 
GitLab