Security improvments

2025-08-02 19:55:18 +02:00 · 2024-08-06 09:35:18 -04:00 · 2024-08-06 09:35:18 -04:00 · 3b002c0c50
commit 3b002c0c50
parent 8453be8003
4 changed files with 20 additions and 16 deletions
--- a/backend/server/adventures/serializers.py
+++ b/backend/server/adventures/serializers.py
@ -7,6 +7,7 @@ class AdventureSerializer(serializers.ModelSerializer):
    class Meta:
        model = Adventure
        fields = '__all__' 
+        read_only_fields = ['id', 'created_at', 'updated_at', 'user_id']

    def to_representation(self, instance):
        representation = super().to_representation(instance)
@ -205,4 +206,4 @@ class CollectionSerializer(serializers.ModelSerializer):
        model = Collection
        # fields are all plus the adventures field
        fields = ['id', 'description', 'user_id', 'name', 'is_public', 'adventures', 'created_at', 'start_date', 'end_date', 'transportations', 'notes', 'updated_at', 'checklists']
-        read_only_fields = ['id', 'created_at', 'updated_at']
+        read_only_fields = ['id', 'created_at', 'updated_at', 'user_id']
--- a/backend/server/users/serializers.py
+++ b/backend/server/users/serializers.py
@ -105,19 +105,19 @@ from rest_framework import serializers
 from django.conf import settings
 import os

-class AdventureSerializer(serializers.ModelSerializer):
-    image = serializers.SerializerMethodField()
+# class AdventureSerializer(serializers.ModelSerializer):
+#     image = serializers.SerializerMethodField()

-    class Meta:
-        model = Adventure
-        fields = ['id', 'user_id', 'type', 'name', 'location', 'activity_types', 'description', 
-                  'rating', 'link', 'image', 'date', 'trip_id', 'is_public', 'longitude', 'latitude']
+#     class Meta:
+#         model = Adventure
+#         fields = ['id', 'user_id', 'type', 'name', 'location', 'activity_types', 'description', 
+#                   'rating', 'link', 'image', 'date', 'trip_id', 'is_public', 'longitude', 'latitude']

-    def get_image(self, obj):
-        if obj.image:
-            public_url = os.environ.get('PUBLIC_URL', '')
-            return f'{public_url}/media/{obj.image.name}'
-        return None
+#     def get_image(self, obj):
+#         if obj.image:
+#             public_url = os.environ.get('PUBLIC_URL', '')
+#             return f'{public_url}/media/{obj.image.name}'
+#         return None

 class UserDetailsSerializer(serializers.ModelSerializer):
    """
@ -161,7 +161,7 @@ class UserDetailsSerializer(serializers.ModelSerializer):
            
        model = UserModel
        fields = ('pk', *extra_fields)
-        read_only_fields = ('email', 'date_joined', 'is_staff')
+        read_only_fields = ('email', 'date_joined', 'is_staff', 'is_superuser', 'is_active', 'pk')

 class CustomUserDetailsSerializer(UserDetailsSerializer):

--- a/backend/server/worldtravel/serializers.py
+++ b/backend/server/worldtravel/serializers.py
@ -16,14 +16,17 @@ class CountrySerializer(serializers.ModelSerializer):
    class Meta:
        model = Country
        fields = '__all__'  # Serialize all fields of the Adventure model
+        read_only_fields = '__all__'

 class RegionSerializer(serializers.ModelSerializer):
    flag_url = ''
    class Meta:
        model = Region
        fields = '__all__'  # Serialize all fields of the Adventure model
+        read_only_fields = '__all__'

 class VisitedRegionSerializer(serializers.ModelSerializer):
    class Meta:
        model = VisitedRegion
-        fields = '__all__'  # Serialize all fields of the Adventure model
+        fields = '__all__'  # Serialize all fields of the Adventure model
+        read_only_fields = ['user_id']