feat(people): do not expose sender_uuid in public serializer; restrict users API to admins

rando128 · rando128 · commit dcf5425a4433 · 2025-11-21T08:52:15.000+01:00
diff --git a/back/back/apps/people/serializers.py b/back/back/apps/people/serializers.py
@@ -37,6 +37,9 @@ class Meta:
 class AuthUserSerializer(serializers.ModelSerializer):
     """
     Serializer used when the user is authenticated on /api/me/
+
+    NOTE: sender_uuid intentionally NOT included here to avoid exposing it to
+    frontend clients. AdminUserSerializer still exposes it for admin use.
     """
 
     class Meta:
@@ -46,7 +49,6 @@ class Meta:
             "first_name",
             "last_name",
             "email",
-            "sender_uuid",
         ]
 
     is_authenticated = serializers.BooleanField()
diff --git a/back/back/apps/people/views.py b/back/back/apps/people/views.py
@@ -113,8 +113,14 @@ def post(self, request, format=None):
 
 
 class UserAPIViewSet(viewsets.ModelViewSet):
+    """
+    Admin-only CRUD for users. Keep AdminUserSerializer (fields="__all__"),
+    but make access explicit and restricted to admins so sender_uuid is not
+    leaked to non-admins.
+    """
     queryset = User.objects.all()
     serializer_class = AdminUserSerializer
+    permission_classes = [permissions.IsAdminUser]  # Ensure only admins can read/write all fields
     filter_backends = [DjangoFilterBackend, SearchFilter, OrderingFilter]
     filterset_fields = ["id"]
 
