(claude identified, low priority -gpshead): apps/users/models.py:76-82 defines a @property that returns the user's plaintext DRF Token.key. It's referenced by no template or serializer (one test uses it: apps/downloads/tests/test_views.py:182), so today it does nothing. But its existence means a single future template typo ({{ user.api_v2_token }}) or a model_to_dict-style serialization could leak a capable API credential.
Describe the solution you'd like
Suggested: delete the property (updating that one test); if admin display ever needs it, a has_api_v2_token boolean serves without exposing the key.
(claude identified, low priority -gpshead):
apps/users/models.py:76-82defines a@propertythat returns the user's plaintext DRFToken.key. It's referenced by no template or serializer (one test uses it:apps/downloads/tests/test_views.py:182), so today it does nothing. But its existence means a single future template typo ({{ user.api_v2_token }}) or amodel_to_dict-style serialization could leak a capable API credential.Describe the solution you'd like
Suggested: delete the property (updating that one test); if admin display ever needs it, a
has_api_v2_tokenboolean serves without exposing the key.