[change] Hide sensitive fields for non-superuser on shared objects

pandafy · pandafy · commit b1a8dc971917 · 2025-07-04T20:11:55.000+05:30
diff --git a/openwisp_users/multitenancy.py b/openwisp_users/multitenancy.py
@@ -20,6 +20,10 @@ class MultitenantAdminMixin(object):
 
     multitenant_shared_relations = None
     multitenant_parent = None
+    sensitive_fields = []
+
+    def get_sensitive_fields(self, request, obj=None):
+        return self.sensitive_fields
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -37,6 +41,21 @@ def get_repr(self, obj):
 
     get_repr.short_description = _("name")
 
+    def get_fields(self, request, obj=None):
+        """
+        Return the list of fields to be displayed in the admin.
+
+        If the user is not a superuser, it will remove sensitive fields.
+        """
+        fields = super().get_fields(request, obj)
+        if obj and not request.user.is_superuser:
+            if self.multitenant_parent:
+                obj = getattr(obj, self.multitenant_parent)
+            if getattr(obj, "organization_id", None) is None:
+                sensitive_fields = self.get_sensitive_fields(request, obj)
+                return [f for f in fields if f not in sensitive_fields]
+        return fields
+
     def get_queryset(self, request):
         """
         If current user is not superuser, show only the
diff --git a/openwisp_users/tests/utils.py b/openwisp_users/tests/utils.py
@@ -290,6 +290,40 @@ def _test_org_admin_view_shareable_object(
             )
         self.assertContains(response, expected_element, html=True)
 
+    def _test_sensitive_fields_visibility_on_shared_and_org_objects(
+        self,
+        sensitive_fields,
+        shared_obj_path,
+        org_obj_path,
+        organization,
+        org_admin=None,
+        super_user=None,
+    ):
+        org_admin = org_admin or self._create_administrator(
+            organizations=[organization]
+        )
+        super_user = super_user or self._get_admin()
+
+        self.client.force_login(org_admin)
+        with self.subTest("Org admin should not see sensitive fields in shared object"):
+            response = self.client.get(shared_obj_path)
+            self.assertEqual(response.status_code, 200)
+            for field in sensitive_fields:
+                self.assertNotContains(response, field)
+
+        with self.subTest("Org admin should see sensitive fields in org object"):
+            response = self.client.get(org_obj_path)
+            self.assertEqual(response.status_code, 200)
+            for field in sensitive_fields:
+                self.assertContains(response, field)
+
+        self.client.force_login(super_user)
+        with self.subTest("Superuser should see sensitive fields in shared object"):
+            response = self.client.get(shared_obj_path)
+            self.assertEqual(response.status_code, 200)
+            for field in sensitive_fields:
+                self.assertContains(response, field)
+
     def _test_object_organization_fk_autocomplete_view(
         self,
         model,
diff --git a/tests/testapp/admin.py b/tests/testapp/admin.py
@@ -61,7 +61,7 @@ def change_view(self, request, object_id, form_url="", extra_context=None):
 
 
 class TemplateAdmin(BaseAdmin):
-    pass
+    sensitive_fields = ["secrets"]
 
 
 class TagAdmin(BaseAdmin):
diff --git a/tests/testapp/migrations/0007_template_secrets.py b/tests/testapp/migrations/0007_template_secrets.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.2.1 on 2025-07-04 13:47
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("testapp", "0006_alter_book_shelf"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="template",
+            name="secrets",
+            field=models.TextField(blank=True, null=True),
+        ),
+    ]
diff --git a/tests/testapp/models.py b/tests/testapp/models.py
@@ -8,6 +8,10 @@
 
 class Template(ShareableOrgMixin):
     name = models.CharField(max_length=16)
+    secrets = models.TextField(
+        blank=True,
+        null=True,
+    )
 
     def __str__(self):
         return self.name
diff --git a/tests/testapp/tests/test_admin.py b/tests/testapp/tests/test_admin.py
@@ -91,3 +91,23 @@ def test_superuser_create_shareable_template(self):
         )
         self.assertEqual(response.status_code, 200)
         self.assertEqual(Template.objects.count(), 1)
+
+    def test_hide_sensitive_fields_for_shared_object(self):
+        """
+        Test that sensitive fields are hidden for shared objects for non-superusers.
+        """
+        org = self._get_org()
+        shared_template = self._create_template(
+            organization=None, secrets="shared-secret"
+        )
+        org_template = self._create_template(organization=org, secrets="org-secret")
+        self._test_sensitive_fields_visibility_on_shared_and_org_objects(
+            sensitive_fields=["secrets"],
+            shared_obj_path=reverse(
+                "admin:testapp_template_change", args=(shared_template.id,)
+            ),
+            org_obj_path=reverse(
+                "admin:testapp_template_change", args=(org_template.id,)
+            ),
+            organization=org,
+        )
