[Fixes #11320] API V1 delivers information on users that shouldn't be… (

#11321) * [Fixes #11320] API V1 delivers information on users that shouldn't be visible * Fix black and flake8 * Fix black and flake8 * Fix black and flake8 * Fix black and flake8 * [Fixes #11320] API V1 delivers information on users that shouldn't be visible --------- Co-authored-by: Giovanni Allegri <[email protected]>
GeoNode · Aug 16, 2023 · c84f55e · c84f55e
1 parent 3fa9a86
commit c84f55e
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/geonode/api/api.py b/geonode/api/api.py
@@ -584,6 +584,16 @@ class OwnersResource(TypeFilteredResource):
 
     full_name = fields.CharField(null=True)
 
+    def apply_filters(self, request, applicable_filters):
+        """filter by group if applicable by group functionality"""
+
+        semi_filtered = super().apply_filters(request, applicable_filters)
+
+        if request.user and not request.user.is_superuser:
+            semi_filtered = get_available_users(request.user)
+
+        return semi_filtered
+
     def dehydrate_full_name(self, bundle):
         return bundle.obj.get_full_name() or bundle.obj.username
 

diff --git a/geonode/api/tests.py b/geonode/api/tests.py
@@ -321,7 +321,7 @@ def test_owners_lockdown(self):
         self.api_client.client.login(username="bobby", password="bob")
         resp = self.api_client.get(filter_url)
         self.assertValidJSONResponse(resp)
-        self.assertEqual(len(self.deserialize(resp)["objects"]), 9)
+        self.assertEqual(len(self.deserialize(resp)["objects"]), 6)
         # Returns limitted info about other users
         bobby = get_user_model().objects.get(username="bobby")
         owners = self.deserialize(resp)["objects"]
@@ -332,6 +332,12 @@ def test_owners_lockdown(self):
                 self.assertIsNone(owner.get("email"))
                 self.assertIsNone(owner.get("first_name"))
 
+        # now test with logged in admin
+        self.api_client.client.login(username="admin", password="admin")
+        resp = self.api_client.get(filter_url)
+        self.assertValidJSONResponse(resp)
+        self.assertEqual(len(self.deserialize(resp)["objects"]), 9)
+
     @override_settings(API_LOCKDOWN=True)
     def test_groups_lockdown(self):
         groups_list_url = reverse("api_dispatch_list", kwargs={"api_name": "api", "resource_name": "groups"})