Hide non-visible operators from public validator endpoints#730
Merged
Conversation
The public Wall of Shame and validator wallet endpoints surfaced the linked operator's profile identity (name, address, id, avatar) even for users who set their profile to non-visible, which contradicted the rest of the API where hidden users are not enumerable. Operator identity is now withheld whenever the linked user is not visible; the validator still appears, identified only by its on-chain operator address, so a misbehaving node cannot disappear by toggling visibility. Two production safeguards are also tightened: session and CSRF cookies are marked Secure outside DEBUG, and the wallet login endpoint no longer echoes raw exception details to clients in production. ## Claude Implementation Notes - backend/validators/serializers.py: Gate operator_user on user.visible in ValidatorWalletSerializer and WallOfShameSerializer. - backend/validators/views.py: Gate the grouped Wall of Shame _operator_user_payload on user.visible. - backend/tally/settings.py: Set SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to not DEBUG so cookies are HTTPS-only in production. - backend/ethereum_auth/views.py: Log the exception and return a generic auth-failure message when DEBUG is off; keep full detail in DEBUG. - backend/validators/tests/test_grafana_service.py: Add regression test that a non-visible operator's identity is withheld while the validator still appears.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The public Wall of Shame and validator wallet endpoints previously exposed the linked operator's profile identity (name, address, id, avatar) even for users who set their account to non-visible, which contradicted the rest of the API where hidden users are not enumerable. Operator identity is now withheld whenever the linked user is not visible, while the validator still appears identified only by its on-chain operator address, so a misbehaving node cannot disappear by toggling visibility. Two production safeguards are also hardened: session and CSRF cookies are marked Secure outside DEBUG, and the wallet login endpoint no longer echoes raw exception details to clients in production. Adds a regression test covering the hidden-operator case and a CHANGELOG entry.