Skip to content
Snippets Groups Projects
Commit 6ee6a4e8 authored by Konrad Mohrfeldt's avatar Konrad Mohrfeldt :koala:
Browse files

fix: remove superfluous retrieve/update actions for APIUserViewSet 

The retrieve and update actions can be removed because the get_queryset
method already ensures that the user has only access to their own user
object (or all user objects in case of superusers).

Sending 401 responses for unauthorized requests may also be considered
leaky, because it exposes that these objects exist instead of returning
a 404 that simply states that no object with that primary key can be
found.
parent addf232f
No related branches found
No related tags found
No related merge requests found
This commit is part of merge request !21. Comments created here will be created in the context of that merge request.
Hide whitespace changes
Inline Side-by-side
Showing
with 1 addition and 38 deletions
program/views.py
+ 1
38
View file @ 6ee6a4e8
...@@ -193,6 +193,7 @@ def json_playout(request): ...@@ -193,6 +193,7 @@ def json_playout(request):
class APIUserViewSet( class APIUserViewSet(
DisabledObjectPermissionCheckMixin,
mixins.CreateModelMixin, mixins.CreateModelMixin,
mixins.RetrieveModelMixin, mixins.RetrieveModelMixin,
mixins.UpdateModelMixin, mixins.UpdateModelMixin,
...@@ -218,18 +219,6 @@ class APIUserViewSet( ...@@ -218,18 +219,6 @@ class APIUserViewSet(
return queryset return queryset
def retrieve(self, request, *args, **kwargs):
"""Returns a single user."""
pk = get_values(self.kwargs, "pk")
# Common users only see themselves
if not request.user.is_superuser and pk != request.user.id:
return Response(status=status.HTTP_401_UNAUTHORIZED)
user = get_object_or_404(User, pk=pk)
serializer = UserSerializer(user)
return Response(serializer.data)
def create(self, request, *args, **kwargs): def create(self, request, *args, **kwargs):
""" """
Create a User. Create a User.
...@@ -248,32 +237,6 @@ class APIUserViewSet( ...@@ -248,32 +237,6 @@ class APIUserViewSet(
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def update(self, request, *args, **kwargs):
"""
Updates the user’s data.
Non-superusers may not be able to edit all of the available data.
"""
pk = get_values(self.kwargs, "pk")
serializer = UserSerializer(data=request.data)
# Common users may only edit themselves
if not request.user.is_superuser and pk != request.user.id:
return Response(
serializer.initial_data, status=status.HTTP_401_UNAUTHORIZED
)
user = get_object_or_404(User, pk=pk)
serializer = UserSerializer(
user, data=request.data, context={"user": request.user}
)
if serializer.is_valid():
serializer.save()
return Response(serializer.data)
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet): class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
""" """
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment