[change] Hide sensitive fields from API response

Author: pandafy

openwisp_users/api/mixins.py

@@ -182,13 +182,40 @@ def filter_fields(self):
             except AttributeError:
                 pass
 
+    def get_sensitive_fields(self):
+        """
+        Returns a list of sensitive fields that should be hidden
+        when the organization is None and the user is not a superuser.
+        """
+        ModelClass = self.Meta.model
+        return getattr(ModelClass, "sensitive_fields", [])
+
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         # only filter related fields if the serializer
         # is being initiated during an HTTP request
         if "request" in self.context:
             self.filter_fields()
 
+    def to_representation(self, data):
+        rep = super().to_representation(data)
+        # Handle single object serializers
+        self.hide_sensitive_fields(rep)
+        return rep
+
+    def hide_sensitive_fields(self, obj):
+        request = self.context.get("request")
+        if (
+            request
+            and not request.user.is_superuser
+            and "organization" in obj
+            and obj["organization"] is None
+        ):
+            for field in self.get_sensitive_fields():
+                if field in obj:
+                    del obj[field]
+        return obj
+
 
 class FilterSerializerByOrgMembership(FilterSerializerByOrganization):
     """

openwisp_users/multitenancy.py

@@ -20,10 +20,9 @@ class MultitenantAdminMixin(object):
 
     multitenant_shared_relations = None
     multitenant_parent = None
-    sensitive_fields = []
 
     def get_sensitive_fields(self, request, obj=None):
-        return self.sensitive_fields
+        return getattr(self.model, "sensitive_fields", [])
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)

openwisp_users/tests/test_api/__init__.py

@@ -165,6 +165,67 @@ def _test_superuser_access_shared_object(
             expected_status_codes=expected_status_codes,
         )
 
+    def _test_sensitive_fields_visibility_on_shared_and_org_objects(
+        self,
+        sensitive_fields,
+        shared_obj,
+        org_obj,
+        detailview_name,
+        listview_name,
+        organization,
+        org_admin=None,
+        super_user=None,
+    ):
+        def assert_sensitive_fields_visibility(obj, user, should_be_visible=False):
+            token = self._obtain_auth_token(user.username, "tester")
+            auth = {"HTTP_AUTHORIZATION": f"Bearer {token}"}
+            # List view
+            listview_path = reverse(listview_name)
+            response = self.client.get(listview_path, **auth)
+            self.assertEqual(response.status_code, 200)
+            results = (
+                response.data
+                if "results" not in response.data
+                else response.data["results"]
+            )
+            for item in results:
+                if str(item["id"]) == str(obj.pk):
+                    break
+            for field in sensitive_fields:
+                self.assertEqual(
+                    field in item,
+                    should_be_visible,
+                )
+            # Detail view
+            detailview_path = reverse(detailview_name, args=[obj.pk])
+            response = self.client.get(detailview_path, **auth)
+            self.assertEqual(response.status_code, 200)
+            for field in sensitive_fields:
+                if should_be_visible:
+                    self.assertIn(field, response.data)
+                else:
+                    self.assertNotIn(field, response.data)
+
+        org_admin = org_admin or self._create_administrator(
+            organizations=[organization]
+        )
+        super_user = super_user or self._get_admin()
+
+        with self.subTest("Org admin should not see sensitive fields in shared object"):
+            assert_sensitive_fields_visibility(
+                shared_obj, org_admin, should_be_visible=False
+            )
+
+        with self.subTest("Org admin should see sensitive fields in org object"):
+            assert_sensitive_fields_visibility(
+                org_obj, org_admin, should_be_visible=True
+            )
+
+        with self.subTest("Superuser should see sensitive fields in shared object"):
+            assert_sensitive_fields_visibility(
+                shared_obj, super_user, should_be_visible=True
+            )
+
 
 class APITestCase(TestMultitenantApiMixin, AuthenticationMixin, TestCase):
     pass

tests/testapp/admin.py

@@ -61,7 +61,7 @@ def change_view(self, request, object_id, form_url="", extra_context=None):
 
 
 class TemplateAdmin(BaseAdmin):
-    sensitive_fields = ["secrets"]
+    pass
 
 
 class TagAdmin(BaseAdmin):

tests/testapp/models.py

@@ -7,6 +7,7 @@
 
 
 class Template(ShareableOrgMixin):
+    sensitive_fields = ["secrets"]
     name = models.CharField(max_length=16)
     secrets = models.TextField(
         blank=True,

tests/testapp/tests/test_permission_classes.py

@@ -291,3 +291,21 @@ def test_org_user_access_shared_object(self):
                 "option": 200,
             },
         )
+
+    def test_template_sensitive_fields_visibility(self):
+        """
+        Test that sensitive fields are hidden for shared objects for non-superusers.
+        """
+        org = self._get_org()
+        shared_template = self._create_template(
+            organization=None, secrets="shared-secret"
+        )
+        org_template = self._create_template(organization=org, secrets="org-secret")
+        self._test_sensitive_fields_visibility_on_shared_and_org_objects(
+            sensitive_fields=["secrets"],
+            shared_obj=shared_template,
+            org_obj=org_template,
+            detailview_name="test_template_detail",
+            listview_name="test_template_list",
+            organization=org,
+        )