[fix] Use UUID converters for users API detail routes #487

czarflix · czarflix · commit 559e7668d14a · 2026-03-12T22:18:45.000+05:30
User and organization API detail routes currently use string path converters even though the underlying resources are UUID-backed. This allows malformed IDs to resolve to DRF views and return 401 instead of being rejected at the routing boundary with 404. Update the five affected routes to use uuid converters and add a regression test covering malformed UUID paths. Closes #487
diff --git a/openwisp_users/api/urls.py b/openwisp_users/api/urls.py
@@ -16,7 +16,7 @@ def get_api_urls(api_views=None):
             name="organization_list",
         ),
         path(
-            "users/organization/<str:pk>/",
+            "users/organization/<uuid:pk>/",
             views.organization_detail,
             name="organization_detail",
         ),
@@ -25,19 +25,19 @@ def get_api_urls(api_views=None):
             views.user_list,
             name="user_list",
         ),
-        path("users/user/<str:pk>/", views.user_detail, name="user_detail"),
+        path("users/user/<uuid:pk>/", views.user_detail, name="user_detail"),
         path(
-            "users/user/<str:pk>/password/",
+            "users/user/<uuid:pk>/password/",
             views.change_password,
             name="change_password",
         ),
         path(
-            "users/user/<str:pk>/email/",
+            "users/user/<uuid:pk>/email/",
             views.email_list,
             name="email_list",
         ),
         path(
-            "users/user/<str:pk>/email/<int:email_id>/",
+            "users/user/<uuid:pk>/email/<int:email_id>/",
             views.email_update,
             name="email_update",
         ),
diff --git a/openwisp_users/tests/test_api/test_views.py b/openwisp_users/tests/test_api/test_views.py
@@ -24,3 +24,17 @@ def test_protected_api_mixin_view(self):
         self.assertEqual(response.headers["WWW-Authenticate"], "Bearer")
         self.assertEqual(response.data["detail"], auth_error)
         self.assertEqual(response.status_code, 401)
+
+    def test_invalid_uuid_routes_return_404(self):
+        invalid_uuid_paths = (
+            "/api/v1/users/user/not-a-uuid/",
+            "/api/v1/users/organization/not-a-uuid/",
+            "/api/v1/users/user/not-a-uuid/password/",
+            "/api/v1/users/user/not-a-uuid/email/",
+            "/api/v1/users/user/not-a-uuid/email/1/",
+        )
+
+        for path in invalid_uuid_paths:
+            with self.subTest(path=path):
+                response = self.client.get(path)
+                self.assertEqual(response.status_code, 404)
