[req-changes] Made requested changes by coderabbitai

pandafy · pandafy · commit af7d04269ba6 · 2026-02-10T20:12:08.000+05:30
diff --git a/openwisp_radius/api/serializers.py b/openwisp_radius/api/serializers.py
@@ -379,6 +379,8 @@ def __init__(self, *args, **kwargs):
             self.fields["group"].queryset = self.fields["group"].queryset.filter(
                 organization_id__in=self._user.organizations_dict.keys()
             )
+        else:
+            self.fields["group"].queryset = self.fields["group"].queryset.none()
 
     def validate(self, data):
         if self._user:
diff --git a/openwisp_radius/api/views.py b/openwisp_radius/api/views.py
@@ -963,7 +963,7 @@ class BaseRadiusUserGroupView(ProtectedAPIMixin, FilterByParentManaged):
     def get_queryset(self):
         qs = super().get_queryset()
         if getattr(self, "swagger_fake_view", False):
-            return super().get_queryset()
+            return qs
         return qs.filter(user_id=self.kwargs["user_pk"])
 
     def get_parent_queryset(self):
diff --git a/openwisp_radius/tests/test_api/test_api.py b/openwisp_radius/tests/test_api/test_api.py
@@ -1299,6 +1299,7 @@ def test_radius_user_group_list(self):
         self._create_org_user(user=admin_user, organization=org1, is_admin=True)
         target_user = self._create_user(username="target_user", email="target@test.com")
         self._create_org_user(user=target_user, organization=org1)
+        self._create_org_user(user=target_user, organization=org2)
         # Create a user in org2 that admin_user should not be able to access
         org2_user = self._create_user(username="org2_user", email="org2@test.com")
         self._create_org_user(user=org2_user, organization=org2)
@@ -1367,7 +1368,8 @@ def test_radius_user_group_list(self):
             self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
 
         with self.subTest("Cannot create RadiusUserGroup with group from other org"):
-            self._create_org_user(user=admin_user, organization=org2, is_admin=True)
+            # target_user is member of org2,
+            # but admin_user can only manage org1
             org2_group = RadiusGroup.objects.get(
                 organization=org2, name="org-2-power-users"
             )
@@ -1380,6 +1382,21 @@ def test_radius_user_group_list(self):
             self.assertIn("group", response.data)
             self.assertEqual(response.data["group"][0].code, "does_not_exist")
 
+            # target_user is only member of org1,
+            # admin_user can manage both org1 and org2
+            OrganizationUser.objects.filter(
+                user=target_user, organization=org2
+            ).delete()
+            self._create_org_user(user=target_user, organization=org2, is_admin=True)
+            response = self.client.post(
+                url,
+                {"group": str(org2_group.pk)},
+                content_type="application/json",
+            )
+            self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+            self.assertIn("group", response.data)
+            self.assertEqual(response.data["group"][0].code, "does_not_exist")
+
         with self.subTest("Superuser can access any user"):
             superuser = self._get_admin()
             self.client.force_login(user=superuser)

Original file line number	Diff line number	Diff line change
`@@ -379,6 +379,8 @@ def __init__(self, args, *kwargs):`
`379`	`379`	`self.fields["group"].queryset = self.fields["group"].queryset.filter(`
`380`	`380`	`organization_id__in=self._user.organizations_dict.keys()`
`381`	`381`	`)`
	`382`	`+ else:`
	`383`	`+ self.fields["group"].queryset = self.fields["group"].queryset.none()`
`382`	`384`
`383`	`385`	`def validate(self, data):`
`384`	`386`	`if self._user:`