Merge pull request #2778 from onaio/list-users-possible-for-authentic…

…ated-users-only Ensure only authenticated users can list users
onaio · Feb 11, 2025 · 197fef7 · 197fef7
2 parents e4939df + 85b600f
commit 197fef7
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 8 deletions.
diff --git a/onadata/apps/api/permissions.py b/onadata/apps/api/permissions.py
@@ -392,8 +392,7 @@ class UserViewSetPermissions(DjangoModelPermissionsOrAnonReadOnly):
 
     def has_permission(self, request, view):
         if request.user.is_anonymous and view.action == "list":
-            if request.GET.get("search"):
-                raise exceptions.NotAuthenticated()
+            raise exceptions.NotAuthenticated()
 
         return super().has_permission(request, view)
 

diff --git a/onadata/apps/api/tests/viewsets/test_user_viewset.py b/onadata/apps/api/tests/viewsets/test_user_viewset.py
@@ -63,14 +63,16 @@ def test_user_get(self):
         self.assertEqual(response.status_code, 404)
 
     def test_user_anon(self):
-        """Test anonymous user can access user info"""
+        """Test anonymous user can access user info(except for list endpoint)"""
         request = self.factory.get("/")
 
-        # users list endpoint
+        # users list endpoint returns 401 for anonymous users
         view = UserViewSet.as_view({"get": "list"})
         response = view(request)
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.data, [self.data])
+        self.assertEqual(response.status_code, 401)
+        self.assertEqual(
+            response.data, {"detail": "Authentication credentials were not provided."}
+        )
 
         # user with username bob
         view = UserViewSet.as_view({"get": "retrieve"})
@@ -144,15 +146,15 @@ def test_get_non_org_users(self):
 
         view = UserViewSet.as_view({"get": "list"})
 
-        all_users_request = self.factory.get("/")
+        all_users_request = self.factory.get("/", **self.extra)
         all_users_response = view(all_users_request)
 
         self.assertEqual(all_users_response.status_code, 200)
         self.assertEqual(
             len([u for u in all_users_response.data if u["username"] == "denoinc"]), 1
         )
 
-        no_orgs_request = self.factory.get("/", data={"orgs": "false"})
+        no_orgs_request = self.factory.get("/", data={"orgs": "false"}, **self.extra)
         no_orgs_response = view(no_orgs_request)
 
         self.assertEqual(no_orgs_response.status_code, 200)