From 1069857f52184759c062eade0be09de080ed7265 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 23 Feb 2021 15:04:36 +0100
Subject: [PATCH 1/2] api: do not mix get_queryset() and filter_queryset()
 (#51368)

---
 src/authentic2/api_views.py | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/authentic2/api_views.py b/src/authentic2/api_views.py
index b2791325..f72559c6 100644
--- a/src/authentic2/api_views.py
+++ b/src/authentic2/api_views.py
@@ -77,6 +77,8 @@ if django.VERSION < (2,):
 if django.VERSION < (1, 11):
     authentication.authenticate = utils.authenticate
 
+User = get_user_model()
+
 
 class HookMixin(object):
     def get_serializer(self, *args, **kwargs):
@@ -739,6 +741,7 @@ class FreeTextSearchFilter(BaseFilterBackend):
 
 
 class UsersAPI(api_mixins.GetOrCreateMixinView, HookMixin, ExceptionHandlerMixin, ModelViewSet):
+    queryset = User.objects.filter(deleted__isnull=True)
     ordering_fields = ['username', 'first_name', 'last_name', 'modified', 'date_joined']
     lookup_field = 'uuid'
     serializer_class = BaseUserSerializer
@@ -759,10 +762,16 @@ class UsersAPI(api_mixins.GetOrCreateMixinView, HookMixin, ExceptionHandlerMixin
        return User._meta.ordering
 
     def get_queryset(self):
-        User = get_user_model()
-        qs = User.objects.filter(deleted__isnull=True)
+        qs = super().get_queryset()
         if self.request.method == 'GET':
             qs = qs.prefetch_related('attribute_values', 'attribute_values__attribute')
+        new_qs = hooks.call_hooks_first_result('api_modify_queryset', self, qs)
+        if new_qs is not None:
+            return new_qs
+        return qs
+
+    def filter_queryset(self, qs):
+        qs = super().filter_queryset(qs)
         qs = self.request.user.filter_by_perm(['custom_user.view_user'], qs)
         # filter users authorized for a specified service
         if 'service-slug' in self.request.GET:
@@ -778,9 +787,6 @@ class UsersAPI(api_mixins.GetOrCreateMixinView, HookMixin, ExceptionHandlerMixin
                     qs = qs.distinct()
             else:
                 qs = qs.none()
-        new_qs = hooks.call_hooks_first_result('api_modify_queryset', self, qs)
-        if new_qs is not None:
-            return new_qs
         return qs
 
     def update(self, request, *args, **kwargs):
-- 
2.30.0