Skip to content

API: use restricted serializer for related projects #11820

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jan 13, 2025
Merged

API: use restricted serializer for related projects #11820

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e1939c4
API: use restricted serializer for related projects
stsewd Dec 3, 2024
b1c3834
Fix tests
stsewd Dec 3, 2024
137bd11
Rename
stsewd Jan 13, 2025
9c9b1be
Merge branch 'main' into use-restricted-serializer-for-related-projects
stsewd Jan 13, 2025
4909493
Mention previous behavior in docs
stsewd Jan 13, 2025
f3343ca
Lint
stsewd Jan 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 30 additions & 5 deletions readthedocs/api/v3/serializers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -846,13 +846,38 @@ def get_homepage(self, obj):

def get_translation_of(self, obj):
if obj.main_language_project:
return self.__class__(obj.main_language_project).data
# Since the related project can be private, we use a restricted serializer.
return RestrictedProjectSerializer(obj.main_language_project).data
return None

def get_subproject_of(self, obj):
try:
return self.__class__(obj.superprojects.first().parent).data
except Exception:
return None
parent_relationshipt = obj.superprojects.first()
if parent_relationshipt:
# Since the related project can be private, we use a restricted serializer.
return RestrictedProjectSerializer(parent_relationshipt.parent).data
return None


class RestrictedProjectSerializer(serializers.ModelSerializer):

"""
Stripped version of the ProjectSerializer to be used when including related projects.

This serializer is used to avoid leaking information about a private project through
a public project. Instead of checking if user has access to the project,
we just show the name and slug.
"""

_links = ProjectLinksSerializer(source="*")

class Meta:
model = Project
fields = [
"id",
"name",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should exclude the name from restricted objects as well (restricted organization is the other serializer like this)

"slug",
"_links",
]


class SubprojectCreateSerializer(FlexFieldsModelSerializer):
Expand Down