fix(spp_api_v2): remove url fallback from display_name to prevent security leak

jeremi · jeremi · commit ff1b28286ecf · 2026-02-18T17:23:25.000+07:00
The _compute_display_name method was falling back to record.url when
endpoint was not set. Since url has groups="spp_api_v2.group_api_v2_auditor"
but display_name is store=True with no groups restriction, the URL value
was being persisted into an unrestricted field, bypassing field-level security.
Also adds url to @api.depends implicitly by removing the reference entirely.
Replace the url fallback with a generic "API Call" string.
diff --git a/spp_api_v2/models/api_outgoing_log.py b/spp_api_v2/models/api_outgoing_log.py
@@ -142,7 +142,7 @@ class ApiOutgoingLog(models.Model):
     def _compute_display_name(self):
         for record in self:
             timestamp_str = record.timestamp.strftime("%Y-%m-%d %H:%M") if record.timestamp else ""
-            record.display_name = f"{record.http_method} {record.endpoint or record.url} @ {timestamp_str}"
+            record.display_name = f"{record.http_method} {record.endpoint or 'API Call'} @ {timestamp_str}"
 
     # ==========================================
     # API Methods
