AMOENG-2407 - Introduce a new serializer for the lookup API endpoint and account retrieval with the Users:Lookup permission, exposing email without other sensitive fields

Author: bakulf

docs/topics/api/accounts.rst

@@ -52,7 +52,9 @@ A developer is defined as a user who is listed as a developer or owner of one or
 
 If you authenticate and access your own account by specifing your own ``user_id`` the following additional fields are returned.
 You can always access your account, regardless of whether you are a developer or not.
-If you have `Users:Edit` permission you will see these extra fields for all user accounts.
+If you have ``Users:Edit`` permission you will see these extra fields for all user accounts.
+If you have ``Users:Lookup`` permission (but not ``Users:Edit``) you will see all fields from
+the :ref:`account object <account-object>` plus ``email``, but not the other privileged fields below.
 
 .. http:get:: /api/v5/accounts/account/(int:user_id|string:username)/
 
@@ -110,15 +112,18 @@ Account Lookup
 .. note::
     This API requires :doc:`authentication <auth>` and ``Users:Lookup`` permission.
 
-This endpoint looks up one or more accounts by email address and returns their full details.
+This endpoint looks up one or more accounts by email address.
 Since multiple accounts can share the same email address, the response is always a list.
 Deleted accounts are excluded from results.
 
+The response includes all :ref:`account object <account-object>` fields plus ``email``,
+but excludes sensitive fields such as ``last_login_ip`` and ``permissions``.
+
 .. http:get:: /api/v5/accounts/account/lookup/
 
     :query string email: The email address to look up.
 
-    Returns a list of :ref:`account objects <account-object-self>`.
+    Returns a list of :ref:`account objects <account-object>` augmented with ``email``.
 
     :statuscode 200: account(s) found.
     :statuscode 400: ``email`` query parameter is missing.

src/olympia/accounts/serializers.py

@@ -81,6 +81,12 @@ class Meta(BaseUserSerializer.Meta):
         read_only_fields = fields
 
 
+class LookupUserProfileSerializer(FullUserProfileSerializer):
+    class Meta(FullUserProfileSerializer.Meta):
+        fields = FullUserProfileSerializer.Meta.fields + ('email',)
+        read_only_fields = fields
+
+
 class MinimalUserProfileSerializer(FullUserProfileSerializer):
     nullable_fields = (
         'biography',

src/olympia/accounts/tests/test_views.py

@@ -1376,6 +1376,22 @@ def test_admin_view_slug(self):
         assert response.data['email'] == self.random_user.email
         assert response.data['url'] == absolutify(self.random_user.get_url_path())
 
+    def test_lookup_view(self):
+        self.grant_permission(self.user, 'Users:Lookup')
+        self.client.login_api(self.user)
+        random_user = user_factory(biography='something!')
+        random_user_profile_url = reverse_ns(
+            'account-detail', kwargs={'pk': random_user.pk}
+        )
+        response = self.client.get(random_user_profile_url)
+        assert response.status_code == 200
+        assert response.data['name'] == random_user.name
+        assert response.data['biography'] == random_user.biography
+        assert response.data['email'] == random_user.email
+        assert 'last_login_ip' not in response.data
+        assert 'permissions' not in response.data
+        assert response.data['url'] == absolutify(random_user.get_url_path())
+
 
 class TestProfileViewWithJWT(APIKeyAuthTestMixin, TestCase):
     """This just tests JWT Auth (external) on the profile endpoint.
@@ -1409,8 +1425,9 @@ def test_lookup_by_email(self):
         response = self.get(self.url, data={'email': self.target_user.email})
         assert response.status_code == 200
         assert len(response.data) == 1
-        assert response.data[0]['email'] == self.target_user.email
         assert response.data[0]['id'] == self.target_user.pk
+        assert response.data[0]['email'] == self.target_user.email
+        assert 'last_login_ip' not in response.data[0]
 
     def test_lookup_multiple_users_same_email(self):
         # Multiple accounts can share the same email (no unique constraint).

src/olympia/accounts/views.py

@@ -68,6 +68,7 @@
 from .serializers import (
     AccountSuperCreateSerializer,
     FullUserProfileSerializer,
+    LookupUserProfileSerializer,
     MinimalUserProfileSerializer,
     SelfUserProfileSerializer,
     UserNotificationSerializer,
@@ -506,9 +507,15 @@ def self_view(self):
     def admin_viewing(self):
         return acl.action_allowed_for(self.request.user, amo.permissions.USERS_EDIT)
 
+    @property
+    def lookup_viewing(self):
+        return acl.action_allowed_for(self.request.user, amo.permissions.USERS_LOOKUP)
+
     def get_serializer_class(self):
         if self.self_view or self.admin_viewing:
             return SelfUserProfileSerializer
+        elif self.lookup_viewing:
+            return LookupUserProfileSerializer
         elif self.get_object().has_full_profile:
             return FullUserProfileSerializer
         else:
@@ -559,7 +566,7 @@ def lookup(self, request):
         )
         if not users.exists():
             raise exceptions.NotFound()
-        serializer = SelfUserProfileSerializer(
+        serializer = LookupUserProfileSerializer(
             users, many=True, context={'request': request}
         )
         return Response(serializer.data)