From 9863eb9ee9b21fb8a21c3b742197cc8cd3e1b169 Mon Sep 17 00:00:00 2001
From: Jukka Ahonen <jukka.ahonen@nordcloud.com>
Date: Mon, 27 Jan 2025 10:58:05 +0200
Subject: [PATCH] attachment public serializers: remove unnecessary and
 sensitive data from output

---
 forms/serializers/form.py             | 9 +++++++++
 forms/viewsets/form.py                | 3 ++-
 plotsearch/serializers/plot_search.py | 9 +++++++++
 plotsearch/views/plot_search.py       | 2 ++
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/forms/serializers/form.py b/forms/serializers/form.py
index 3c903e21..ddf18454 100755
--- a/forms/serializers/form.py
+++ b/forms/serializers/form.py
@@ -923,5 +923,14 @@ def save(self, **kwargs):
         return super().save(**kwargs)
 
 
+class AttachmentPublicSerializer(AttachmentSerializer):
+    def to_representation(self, instance):
+        representation = super().to_representation(instance)
+        for key in ["attachment"]:
+            if key in representation:
+                representation.pop(key)
+        return representation
+
+
 class ReadAttachmentSerializer(AttachmentSerializer):
     field = serializers.CharField(source="field.identifier")
diff --git a/forms/viewsets/form.py b/forms/viewsets/form.py
index 6d94dda6..ddf9ee73 100755
--- a/forms/viewsets/form.py
+++ b/forms/viewsets/form.py
@@ -20,6 +20,7 @@
     AnswerOpeningRecordSerializer,
     AnswerPublicSerializer,
     AnswerSerializer,
+    AttachmentPublicSerializer,
     AttachmentSerializer,
     FormSerializer,
     MeetingMemoSerializer,
@@ -178,7 +179,7 @@ def download(self, request, pk=None):
 class AttachmentPublicViewSet(FileExtensionFileMixin, AttachmentViewSet):
     """Includes FileExtensionFileMixin to validate file extensions."""
 
-    pass
+    serializer_class = AttachmentPublicSerializer
 
 
 class TargetStatusViewset(
diff --git a/plotsearch/serializers/plot_search.py b/plotsearch/serializers/plot_search.py
index 2cbf063b..5f2c81e8 100755
--- a/plotsearch/serializers/plot_search.py
+++ b/plotsearch/serializers/plot_search.py
@@ -840,6 +840,15 @@ def create(self, validated_data):
         return attachment
 
 
+class AreaSearchAttachmentPublicSerializer(AreaSearchAttachmentSerializer):
+    def to_representation(self, instance):
+        representation = super().to_representation(instance)
+        for key in ["attachment", "user", "area_search", "created_at"]:
+            if key in representation:
+                representation.pop(key)
+        return representation
+
+
 class AreaSearchStatusNoteSerializer(serializers.ModelSerializer):
     preparer = UserSerializer(read_only=True)
     time_stamp = serializers.DateTimeField(read_only=True)
diff --git a/plotsearch/views/plot_search.py b/plotsearch/views/plot_search.py
index 4ed805d1..fc3e3af7 100755
--- a/plotsearch/views/plot_search.py
+++ b/plotsearch/views/plot_search.py
@@ -64,6 +64,7 @@
     PlotSearchOpeningRecordPermissions,
 )
 from plotsearch.serializers.plot_search import (
+    AreaSearchAttachmentPublicSerializer,
     AreaSearchAttachmentSerializer,
     AreaSearchDetailSerializer,
     AreaSearchListSerializer,
@@ -411,6 +412,7 @@ class AreaSearchAttachmentPublicViewset(
 ):
     """Includes FileExtensionFileMixin to validate file extensions."""
 
+    serializer_class = AreaSearchAttachmentPublicSerializer
     permission_classes = (AreaSearchAttachmentPublicPermissions,)
 
     def destroy(self, request, *args, **kwargs):