refactor(Users): allow anyone to query any user (#689)

openfoodfacts · Jan 26, 2025 · 44e1179 · 44e1179
1 parent d6f81db
commit 44e1179
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 20 deletions.
diff --git a/open_prices/api/users/tests.py b/open_prices/api/users/tests.py
@@ -92,22 +92,22 @@ def setUpTestData(cls):
     def test_user_detail(self):
         # anonymous
         response = self.client.get(self.url)
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 200)
         # anonymous, unknown user
         url = reverse("api:users-detail", args=[999])
         response = self.client.get(url)
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 404)
         # authenticated, unknown user
         response = self.client.get(
             url, headers={"Authorization": f"Bearer {self.user_session_1.token}"}
         )
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 404)
         # authenticated, but not owner
         response = self.client.get(
             self.url, headers={"Authorization": f"Bearer {self.user_session_2.token}"}
         )
-        self.assertEqual(response.status_code, 403)
-        # authenticated and owner: OK
+        self.assertEqual(response.status_code, 200)
+        # authenticated and owner
         response = self.client.get(
             self.url, headers={"Authorization": f"Bearer {self.user_session_1.token}"}
         )

diff --git a/open_prices/api/users/views.py b/open_prices/api/users/views.py
@@ -1,10 +1,8 @@
 from django_filters.rest_framework import DjangoFilterBackend
-from rest_framework import filters, mixins, status, viewsets
-from rest_framework.response import Response
+from rest_framework import filters, mixins, viewsets
 
 from open_prices.api.users.filters import UserFilter
 from open_prices.api.users.serializers import UserSerializer
-from open_prices.common.authentication import CustomAuthentication
 from open_prices.users.models import User
 
 
@@ -26,15 +24,3 @@ def get_queryset(self):
         if not self.kwargs.get("user_id", None):
             return self.queryset.has_prices()
         return self.queryset
-
-    def get_authenticators(self):
-        # retrieve: require authentication
-        if self.kwargs.get("user_id", None):
-            return [CustomAuthentication()]
-        return super().get_authenticators()
-
-    def retrieve(self, request, *args, **kwargs):
-        if self.request.user.is_authenticated:
-            if self.request.user.user_id == kwargs["user_id"]:
-                return super().retrieve(request, *args, **kwargs)
-        return Response(status=status.HTTP_403_FORBIDDEN)