From e5c427a8721504b8d8bc370dfd7b5bd52d877331 Mon Sep 17 00:00:00 2001
From: Ernesto Rico Schmidt <ernesto@helsinki.at>
Date: Mon, 28 Oct 2024 14:26:31 -0400
Subject: [PATCH] feat: redact sensitive information for unauthenticated
 requests

---
 program/serializers.py | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/program/serializers.py b/program/serializers.py
index 2490abbd..ec81192c 100644
--- a/program/serializers.py
+++ b/program/serializers.py
@@ -114,6 +114,12 @@ class CBASerializer(serializers.ModelSerializer):
             "user_token",
         ) + read_only_fields
 
+    def to_representation(self, instance):
+        if not self.parent.context.get("request").user.is_authenticated:
+            return None
+
+        return super().to_representation(instance)
+
 
 class UserSerializer(serializers.ModelSerializer):
     is_privileged = serializers.SerializerMethodField()
@@ -401,6 +407,14 @@ class ProfileSerializer(serializers.ModelSerializer):
             "owner_ids",
         ) + read_only_fields
 
+    def to_representation(self, instance):
+        representation = super().to_representation(instance)
+
+        if not self.context.get("request").user.is_authenticated:
+            del representation["email"]
+
+        return representation
+
     def create(self, validated_data):
         """
         Create and return a new Profile instance, given the validated data.
@@ -633,6 +647,14 @@ class ShowSerializer(serializers.HyperlinkedModelSerializer):
 
         return super().to_internal_value(data)
 
+    def to_representation(self, instance):
+        representation = super().to_representation(instance)
+
+        if not self.context.get("request").user.is_authenticated:
+            del representation["email"]
+
+        return representation
+
     def create(self, validated_data):
         """
         Create and return a new Show instance, given the validated data.
@@ -995,6 +1017,14 @@ class TimeSlotSerializer(serializers.ModelSerializer):
     def get_end(obj) -> datetime:
         return obj.end.astimezone(tz=ZoneInfo(settings.TIME_ZONE))
 
+    def to_representation(self, instance):
+        representation = super().to_representation(instance)
+
+        if not self.context.get("request").user.is_authenticated:
+            del representation["memo"]
+
+        return representation
+
     def update(self, instance, validated_data):
         """Update and return an existing Show instance, given the validated data."""
 
-- 
GitLab