From fb6800867a44f0ff7a5b9eff7f2394a137c73958 Mon Sep 17 00:00:00 2001
From: Ernesto Rico Schmidt <ernesto@helsinki.at>
Date: Tue, 19 Mar 2024 17:43:54 -0400
Subject: [PATCH] fix: return an empty user queryset if the user is
 unaunthenticated

---
 program/views.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/program/views.py b/program/views.py
index 4107c011..a0f963a1 100644
--- a/program/views.py
+++ b/program/views.py
@@ -265,12 +265,15 @@ class APIUserViewSet(
     search_fields = ["username", "first_name", "last_name", "email"]
 
     def get_queryset(self):
-        """The queryset contains all the users if the method is safe or requesting user is a
-        superuser, otherwise it only contains the requesting user."""
+        """The queryset is empty if the user is not authenticated, contains all the users if the
+        method is safe or the requesting user is a superuser, otherwise it only contains the
+        requesting user."""
 
         user = self.request.user
 
-        if self.request.method in permissions.SAFE_METHODS or user.is_superuser:
+        if not user.is_authenticated:
+            return User.objects.none()
+        elif self.request.method in permissions.SAFE_METHODS or user.is_superuser:
             return User.objects.all()
         else:
             return User.objects.filter(pk=user.id)
-- 
GitLab