From 7ce8f87edc0bc8cdbc0831cc8e4f36690b834c25 Mon Sep 17 00:00:00 2001
From: Sylvain Le Bon <sylvain@startinblox.com>
Date: Fri, 26 Jan 2024 12:47:37 +0100
Subject: [PATCH] bugfix: access to user list is restricted to authenticated
 users

---
 djangoldp_account/models.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/djangoldp_account/models.py b/djangoldp_account/models.py
index 9d5dcc5..de07321 100644
--- a/djangoldp_account/models.py
+++ b/djangoldp_account/models.py
@@ -80,7 +80,7 @@ class LDPUser(AbstractUser, Model):
         lookup_field = 'slug'
         container_path = 'users'
         owner_urlid_field = 'urlid'
-        permission_classes = [IPOpenPermissions|AuthenticatedOnly&ReadOnly|OwnerPermissions]
+        permission_classes = [IPOpenPermissions|AuthenticatedOnly&(ReadOnly|OwnerPermissions)]
         nested_fields = user_nested_fields
         serializer_fields = user_fields + user_nested_fields
         empty_containers = user_empty_containers
@@ -130,7 +130,7 @@ class Account(Model):
         permissions = (('control_account', 'Control'),)
         lookup_field = 'slug'
         owner_field = 'user'
-        permission_classes = [IPOpenPermissions|AuthenticatedOnly&ReadOnly|OwnerPermissions]
+        permission_classes = [IPOpenPermissions|AuthenticatedOnly&(ReadOnly|OwnerPermissions)]
 
     def __str__(self):
         return '{} ({})'.format(self.user.get_full_name(), self.user.username)
@@ -146,7 +146,7 @@ class ChatProfile(Model):
         permissions = (('control_chatprofile', 'Control'),)
         lookup_field = 'slug'
         owner_field = 'user'
-        permission_classes = [IPOpenPermissions|AuthenticatedOnly&ReadOnly|OwnerPermissions]
+        permission_classes = [IPOpenPermissions|AuthenticatedOnly&(ReadOnly|OwnerPermissions)]
 
     def __str__(self):
         return '{} (jabberID: {})'.format(self.user.get_full_name(), self.jabberID)
-- 
GitLab