Security improvments

backend/server/adventures/serializers.py

@@ -7,6 +7,7 @@ class AdventureSerializer(serializers.ModelSerializer):
     class Meta:
         model = Adventure
         fields = '__all__' 
+        read_only_fields = ['id', 'created_at', 'updated_at', 'user_id']
 
     def to_representation(self, instance):
         representation = super().to_representation(instance)
@@ -205,4 +206,4 @@ class CollectionSerializer(serializers.ModelSerializer):
         model = Collection
         # fields are all plus the adventures field
         fields = ['id', 'description', 'user_id', 'name', 'is_public', 'adventures', 'created_at', 'start_date', 'end_date', 'transportations', 'notes', 'updated_at', 'checklists']
-        read_only_fields = ['id', 'created_at', 'updated_at']
+        read_only_fields = ['id', 'created_at', 'updated_at', 'user_id']

backend/server/users/serializers.py

@@ -105,19 +105,19 @@ from rest_framework import serializers
 from django.conf import settings
 import os
 
-class AdventureSerializer(serializers.ModelSerializer):
+# class AdventureSerializer(serializers.ModelSerializer):
-    image = serializers.SerializerMethodField()
+#     image = serializers.SerializerMethodField()
 
-    class Meta:
+#     class Meta:
-        model = Adventure
+#         model = Adventure
-        fields = ['id', 'user_id', 'type', 'name', 'location', 'activity_types', 'description', 
+#         fields = ['id', 'user_id', 'type', 'name', 'location', 'activity_types', 'description', 
-                  'rating', 'link', 'image', 'date', 'trip_id', 'is_public', 'longitude', 'latitude']
+#                   'rating', 'link', 'image', 'date', 'trip_id', 'is_public', 'longitude', 'latitude']
 
-    def get_image(self, obj):
+#     def get_image(self, obj):
-        if obj.image:
+#         if obj.image:
-            public_url = os.environ.get('PUBLIC_URL', '')
+#             public_url = os.environ.get('PUBLIC_URL', '')
-            return f'{public_url}/media/{obj.image.name}'
+#             return f'{public_url}/media/{obj.image.name}'
-        return None
+#         return None
 
 class UserDetailsSerializer(serializers.ModelSerializer):
     """
@@ -161,7 +161,7 @@ class UserDetailsSerializer(serializers.ModelSerializer):
             
         model = UserModel
         fields = ('pk', *extra_fields)
-        read_only_fields = ('email', 'date_joined', 'is_staff')
+        read_only_fields = ('email', 'date_joined', 'is_staff', 'is_superuser', 'is_active', 'pk')
 
 class CustomUserDetailsSerializer(UserDetailsSerializer):
 

backend/server/worldtravel/serializers.py

@@ -16,14 +16,17 @@ class CountrySerializer(serializers.ModelSerializer):
     class Meta:
         model = Country
         fields = '__all__'  # Serialize all fields of the Adventure model
+        read_only_fields = '__all__'
 
 class RegionSerializer(serializers.ModelSerializer):
     flag_url = ''
     class Meta:
         model = Region
         fields = '__all__'  # Serialize all fields of the Adventure model
+        read_only_fields = '__all__'
 
 class VisitedRegionSerializer(serializers.ModelSerializer):
     class Meta:
         model = VisitedRegion
-        fields = '__all__'  # Serialize all fields of the Adventure model
+        fields = '__all__'  # Serialize all fields of the Adventure model
+        read_only_fields = ['user_id']

frontend/src/lib/components/ChecklistModal.svelte

@@ -130,9 +130,9 @@
 	<!-- svelte-ignore a11y-no-noninteractive-element-interactions -->
 	<!-- svelte-ignore a11y-no-noninteractive-tabindex -->
 	<div class="modal-box" role="dialog" on:keydown={handleKeydown} tabindex="0">
-		<h3 class="font-bold text-lg">Checklist Editor</h3>
+		<h3 class="font-bold text-lg mb-2">Checklist Editor</h3>
 		{#if initialName}
-			<p class="font-semibold text-md mb-2">Editing note {initialName}</p>
+			<p class="font-semibold text-md mb-2">Editing checklist {initialName}</p>
 		{/if}
 
 		{#if (checklist && user?.pk == checklist?.user_id) || !checklist}