From 44e1179a2663390ec9dd87e15dc35e03c2d63150 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Odini?= <raphodn@users.noreply.github.com>
Date: Sun, 26 Jan 2025 22:37:34 +0100
Subject: [PATCH] refactor(Users): allow anyone to query any user (#689)

---
 open_prices/api/users/tests.py | 10 +++++-----
 open_prices/api/users/views.py | 16 +---------------
 2 files changed, 6 insertions(+), 20 deletions(-)

diff --git a/open_prices/api/users/tests.py b/open_prices/api/users/tests.py
index 3d92a4e7..9e7a3929 100644
--- a/open_prices/api/users/tests.py
+++ b/open_prices/api/users/tests.py
@@ -92,22 +92,22 @@ def setUpTestData(cls):
     def test_user_detail(self):
         # anonymous
         response = self.client.get(self.url)
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 200)
         # anonymous, unknown user
         url = reverse("api:users-detail", args=[999])
         response = self.client.get(url)
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 404)
         # authenticated, unknown user
         response = self.client.get(
             url, headers={"Authorization": f"Bearer {self.user_session_1.token}"}
         )
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 404)
         # authenticated, but not owner
         response = self.client.get(
             self.url, headers={"Authorization": f"Bearer {self.user_session_2.token}"}
         )
-        self.assertEqual(response.status_code, 403)
-        # authenticated and owner: OK
+        self.assertEqual(response.status_code, 200)
+        # authenticated and owner
         response = self.client.get(
             self.url, headers={"Authorization": f"Bearer {self.user_session_1.token}"}
         )
diff --git a/open_prices/api/users/views.py b/open_prices/api/users/views.py
index 4180fe78..ca2aa55a 100644
--- a/open_prices/api/users/views.py
+++ b/open_prices/api/users/views.py
@@ -1,10 +1,8 @@
 from django_filters.rest_framework import DjangoFilterBackend
-from rest_framework import filters, mixins, status, viewsets
-from rest_framework.response import Response
+from rest_framework import filters, mixins, viewsets
 
 from open_prices.api.users.filters import UserFilter
 from open_prices.api.users.serializers import UserSerializer
-from open_prices.common.authentication import CustomAuthentication
 from open_prices.users.models import User
 
 
@@ -26,15 +24,3 @@ def get_queryset(self):
         if not self.kwargs.get("user_id", None):
             return self.queryset.has_prices()
         return self.queryset
-
-    def get_authenticators(self):
-        # retrieve: require authentication
-        if self.kwargs.get("user_id", None):
-            return [CustomAuthentication()]
-        return super().get_authenticators()
-
-    def retrieve(self, request, *args, **kwargs):
-        if self.request.user.is_authenticated:
-            if self.request.user.user_id == kwargs["user_id"]:
-                return super().retrieve(request, *args, **kwargs)
-        return Response(status=status.HTTP_403_FORBIDDEN)