Filter inactive/unapproved users out of SecureAPI requests. Fixes #552

2026-01-18 14:02:15 +00:00 · 2023-06-28 12:55:42 +01:00
parent 9f4cd41d23
commit c9ba228bd2
2 changed files with 4 additions and 1 deletions
--- a/PyRIGS/views.py
+++ b/PyRIGS/views.py
@@ -134,6 +134,9 @@ class SecureAPIRequest(generic.View):
            results = []
            query = reduce(operator.and_, queries)
            objects = self.models[model].objects.filter(query)
+            # Returning unactivated or unapproved users when they are elsewhere filtered out of the default queryset leads to some *very* unexpected results
+            if model == "profile":
+                objects = objects.filter(is_active=True, is_approved=True)
            for o in objects:
                name = o.display_name if hasattr(o, 'display_name') else o.name
                data = {