Profile API security

[ethanstrominger]

Overview

As a security admin I want to make sure that users can see and update only appropriate fields. get for profile api should return all fields except password. Patch should allow all fields except password, created_at, updated_at, is_staff, is_superuser, and is_active.

Action Items

• Implement as explained in technical details
• Add tests

Technical

Recommended approach:

• Create a ProfileSerializer that includes all fields except password and marks created_at, updated_at, is_active, is_superuser, is_staff, and uuid as read only.
• Disable post (requires googling) operation
• Create a view that uses the ProfileSerializer.
• Modify profile URL to point to this view.
• Tests
  • Verify response does not include password
  • Verify patching (updating) password gives an error
  • Verify patching created_at, updated_at, or uuid gives an error
  • Verify all other fields can be updated

[fyliu]

@ethanstrominger

Is there a reason for the user to know if they're is_staff, is_superuser?

I looked at the existing UserProfileAPIView code and it looks close to what you want. It's using the UserSerializer and the User object of the logged-in user. The permissions can just be anyone that's authenticated I think, since it's limited to the single user object?

I noted the differences between this issue and UserSerializer below, but you might be right to create a new serializer for this if you need the is_staff and is_superuser.

UserSerializer excerpt:

    fields = (
        "uuid",
        "username",
        "created_at",
        "updated_at",
        "email",
        "first_name",
        "last_name",
        "gmail",
        "preferred_email",
        "current_job_title",
        "target_job_title",
        "current_skills",
        "target_skills",
        "linkedin_account",
        "github_handle",
        "slack_id",
        "phone",
        "texting_ok",
        "time_zone",
    )
    read_only_fields = (
        "uuid",
        "created_at",
        "updated_at",
        "username",
        "email",

Comparing this to your requirements:

1. GET will need to add is_staff, is_superuser, and is_active to fields.

2. PATCH will need is_staff, is_superuser added to read_only_fields. is_active as well but that has a pending rename to user_status and data type conversion to FK.