fix(api): improve users access control#17256
Merged
Merged
Conversation
nijel
commented
Dec 10, 2025
nijel
commented
Member
- allow users to edit self via API
- restrict access to notifications
- restrict access to user search for unauthenticated
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves API access control for user management by allowing users to edit their own profiles while restricting access to sensitive operations. The changes introduce an allow_self parameter to permission checks, enabling controlled self-service functionality while maintaining security boundaries for user search and notifications.
Key Changes:
- Modified
perm_checkto support anallow_selfparameter for distinguishing between self-editing and admin-level operations - Enabled users to update their own profiles and read their own notifications without requiring admin permissions
- Restricted user search results to authenticated users only
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| weblate/api/views.py | Enhanced UserViewSet permission checks with allow_self logic; added authentication check for user search endpoint |
| weblate/api/serializers.py | Added id to read_only_fields in BasicUserSerializer (insufficient protection for FullUserSerializer) |
| weblate/api/tests.py | Added comprehensive tests for self-editing, notification access controls, and anonymous user search restrictions |
Comments suppressed due to low confidence (1)
weblate/api/tests.py:391
- Missing test coverage for users listing their own notifications without superuser privileges. The test adds a check for anonymous users being denied (line 378-383) and superusers accessing notifications (line 384-391), but doesn't verify that regular users can list their own notifications via
allow_self=True(line 560 in views.py).
Recommendation: Add a test case that verifies a regular authenticated user can list their own notifications:
# User can list their own notifications
response = self.do_request(
"api:user-notifications",
kwargs={"username": self.user.username},
method="get",
code=200,
)
self.assertGreaterEqual(response.data["count"], 0) def test_list_notifications(self) -> None:
self.do_request(
"api:user-notifications",
kwargs={"username": settings.ANONYMOUS_USER_NAME},
method="get",
code=403,
)
response = self.do_request(
"api:user-notifications",
kwargs={"username": User.objects.filter(is_active=True)[0].username},
method="get",
superuser=True,
code=200,
)
self.assertEqual(response.data["count"], 10)
- allow users to edit self via API - restrict access to notifications - restrict access to user search for unauthenticated
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.