Regional Additional Info Page - Power BI dashboard visible despite setting visibility to IFRC & NS

[arunissun]

Regional Additional Info Page - Power BI dashboard visible despite setting visibility to IFRC & NS

Regional Snippet Visibility Not Enforced - Content set to visibility IFRC and NS is visible to all

🐛 Bug Description

Regional snippets are always viewable to non-logged-in users on the frontend, regardless of the visibility setting configured in Django admin. This means that even when visibility is set to "IFRC and NS", "IFRC", or "RCRC Movement", the snippets remain publicly accessible to unauthenticated users.

📋 Steps to Reproduce

1. Go to Django Admin panel
2. Navigate to Regional Snippets for any region (e.g., Asia Pacific - Region ID: 2)
3. Set the Visibility field to any restricted option (e.g., "IFRC and NS")
4. Save the snippet
5. Open a browser without logging in (no authentication token)
6. Access the API endpoint: https://goadmin.ifrc.org/api/v2/region/2/
7. Observe: The snippet with restricted visibility is still returned in the JSON response
8. Navigate to the region page on the frontend
9. Observe: The snippet (Power BI dashboard) is visible to non-logged-in users

The visibility setting in Django admin is completely ignored by the API endpoint.

🔍 Expected Behavior

• Visibility = "Public": Snippet visible to everyone (logged in or not)
• Visibility = "IFRC and NS": Snippet only visible to logged-in IFRC or NS users
• Visibility = "RCRC Movement": Snippet only visible to logged-in users of RCRC Movement
• Visibility = "IFRC": Snippet only visible to logged-in IFRC users

Users that are not logged in should NOT be able to see any snippets with restricted visibility settings.

❌ Actual Behavior

The /api/v2/region/{id}/ endpoint returns ALL snippets regardless of what visibility is set in Django admin, even for unauthenticated requests (no authentication token). This exposes restricted content (like Power BI dashboards) publicly.

The visibility field has no effect on the /api/v2/region/{id}/ endpoint.

🔧 Technical Analysis

Root Cause (Possible as per my analysis)

File: api/serializers.py (lines 608-640)

The RegionRelationSerializer class includes the snippets field as a direct relationship without any filtering:

class RegionRelationSerializer(ModelSerializer):
    snippets = RegionSnippetSerializer(many=True, read_only=True)  # ⚠️ NO FILTERING

This means all related snippets are included without checking:

• The visibility field value
• User authentication status

Comparison with Working Endpoint

❌ Broken endpoint: /api/v2/region/{id}/

• Returns ALL snippets
• Accessible without authentication
• Uses RegionRelationSerializer

✅ Working endpoint: /api/v2/region_snippet/?region={id}

• Correctly filters snippets based on visibility and authentication
• Uses RegionSnippetViewset with ReadOnlyVisibilityViewset
• Requires authentication for non-public snippets

Example API Responses

Broken endpoint - /api/v2/region/2/ (Unauthenticated Request):

{
    "snippets": [
        {
            "region": 2,
            "visibility": 4,
            "visibility_display": "IFRC and NS",
            "snippet": "<iframe title=\"Portal_of_DBs\" src=\"...\"></iframe>",
            "id": 44
        }
    ]
}

☝️ Snippet with visibility: 4 ("IFRC and NS") is returned to unauthenticated user

Working endpoint - /api/v2/region_snippet/?region=2 (Requires Authentication):

{
    "count": 1,
    "next": null,
    "previous": null,
    "results": [
        {
            "region": 2,
            "image": null,
            "visibility": 4,
            "visibility_display": "IFRC and NS",
            "id": 44,
            "snippet": "<iframe title=\"Portal_of_DBs\" src=\"https://app.powerbi.com/view?r=eyJrIjoiZjNmMzU5MGYtYjkwOS00MTA5LWI0ODQtMTMwN2E5ZWMzYTY1IiwidCI6ImEyYjUzYmU1LTczNGUtNGU2Yy1hYjBkLWQxODRmNjBmZDkxNyIsImMiOjh9\" width=\"1240\" height=\"720\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"></iframe>",
            "translation_module_original_language": "en"
        }
    ]
}

☝️ This endpoint correctly requires authentication and respects visibility

📦 Affected Components (As per my analysis)

• Repository: IFRCGo/go-api
• File: api/serializers.py
• Class: RegionRelationSerializer (lines ~608-640)
• Model: api/models.py - RegionSnippet (lines 574-593)
• Affected Endpoint: /api/v2/region/{id}/

📸 Screenshot

Django Admin showing visibility set to "IFRC and NS":

🔗 Related Files

• Working viewset (for reference): api/drf_views.py - RegionSnippetViewset (lines 621-630)
• Frontend (displays API data): app/src/views/RegionAdditionalInfo/index.tsx
• Frontend (displays API data): app/src/views/Region/index.tsx

Priority: High
Labels: bug, security, backend, api,
Affected Versions: Current production