The xenohuru-api implements strict read-only access for public users to prevent scammers, fake listings, and malicious content. All write operations (POST, PUT, PATCH, DELETE) require admin/staff privileges.

ReadOnlyOrAdmin (app/core/permissions.py)

• GET requests: Public access (no authentication required)
• [-] POST/PUT/PATCH/DELETE: Admin/staff only

Risk: Fake tour companies, scam bookings, fraudulent contact information

Protection:

• Public can browse verified operators
• [-] Only admin can create new operators
• [-] Only admin can modify operator details
• Approval workflow (is_approved field)
• Verification badge (is_verified field)

Admin Actions:

• Verify legitimate tour operators
• Approve/reject operator submissions
• Soft delete suspicious operators
• Update contact information

Risk: Fake business partnerships, fraudulent sponsorships

Protection:

• Public can view active partners
• [-] Only admin can create partnerships
• [-] Only admin can modify partner information
• Tier system (platinum/gold/silver/community)

Admin Actions:

• Verify partner legitimacy
• Assign partnership tier
• Manage partner visibility
• Update partnership details

Risk: Phishing links, scam content, malicious redirects, spam

Protection:

• Public can read published articles
• [-] Only admin can create articles
• [-] Only admin can edit/delete articles
• Approval workflow (is_approved field)
• Publishing workflow (status: draft/published/archived)

Admin Actions:

• Review article content for scams/phishing
• Approve/reject articles
• Publish/unpublish articles
• Moderate content

Risk: Impersonation, fake credentials, fraudulent expert claims

Protection:

• Public can view public profiles
• Authenticated users can update their own profile only
• [-] Only admin can create new contributor profiles
• [-] Only admin can delete profiles
• Public/private profile toggle

Admin Actions:

• Verify contributor identities
• Create profiles for verified contributors
• Moderate profile content
• Remove impersonators

Special Note: Contributors can update their own profiles, but profile creation is admin-only to prevent impersonation.

Risk: False information, dangerous locations

Protection:

• Public can browse approved attractions
• [-] Only admin can create attractions
• [-] Only admin can modify attraction data
• Approval workflow (is_approved field)
• Soft delete for disputed data

Admin Actions:

• Verify attraction information
• Update GPS coordinates
• Approve/reject submissions
• Manage attraction visibility

Risk: Misinformation about Tanzania's administrative divisions

Protection:

• Public can view all 31 official regions
• [-] Only admin can create/modify regions
• Official government data source

Admin Actions:

• Update region descriptions
• Correct data errors
• Maintain official region list

All content goes through a multi-step approval process:

1. CREATION (Admin only)
   ↓
2. REVIEW (Admin panel)
   ↓
3. APPROVAL (is_approved = True)
   ↓
4. PUBLIC VISIBILITY (API shows approved content)
   ↓
5. MONITORING (Track API usage, detect abuse)
   ↓
6. SOFT DELETE if suspicious (deleted_at timestamp)

All content must be created through the Django admin panel by staff/superusers:

1. Tour Operators: /admin/operators/touroperator/add/
2. Partners: /admin/partners/partner/add/
3. Articles: /admin/blog/article/add/
4. Contributors: /admin/contributors/creatorprofile/add/
5. Attractions: /admin/attractions/attraction/add/
6. Regions: /admin/regions/region/add/

Available in list views:

• Approve - Make content public
• ⊘ Reject - Hide from public
• ↺ Restore - Recover soft-deleted items
• 🗑️ Move to trash - Soft delete

{
  "detail": "Authentication credentials were not provided."
}

Cause: Attempting write operation without authentication

{
  "detail": "You do not have permission to perform this action."
}

Cause: Authenticated user (non-admin) attempting write operation

Solution: Use admin panel or contact administrator

1. Fake Tour Operators

   • Scammers create fake tour companies
   • Collect deposits and disappear
   • Damage Tanzania's tourism reputation

2. Phishing Content

   • Fake blog articles with malicious links
   • Redirect users to scam websites
   • Steal personal/financial information

3. Fraudulent Partnerships

   • Fake businesses claim partnerships
   • Use API credentials to seem legitimate
   • Damage partner brand reputation

4. Impersonation

   • Fake expert profiles
   • False credentials and testimonials
   • Mislead travelers with bad advice

[x] Benefits:

• Prevents automated scam submissions
• Requires admin verification before content goes live
• Protects travelers from fraud
• Maintains data quality
• Preserves Tanzania tourism reputation
• Enables trust through verification

[-] Trade-offs:

• Users cannot self-register as operators
• Content submission requires admin approval
• Less "open" than fully public APIs

Decision: Safety and trust are more important than convenience.

Tour Operators & Partners:

1. Email: admin@xenohuru.com
2. Provide: Business registration, licenses, references
3. Admin will verify and create your listing
4. You'll receive credentials to manage your profile (future feature)

Contributors:

1. Apply through contact form
2. Provide credentials and portfolio
3. Admin creates verified profile
4. You can update your own profile after approval

Attractions:

1. Submit via contact form with evidence
2. Admin verifies information
3. Attraction added to database
4. Community can suggest edits via admin

All API requests are logged:

• Endpoint accessed
• HTTP method
• User (if authenticated)
• IP address
• Response time
• Status code

Access via admin panel: /admin/core/apiusage/

Monitors for:

• Repeated failed write attempts (potential attackers)
• Unusual access patterns
• Excessive read requests (potential scrapers)

# [x] Read - Works
curl https://xenohuru.cleven.is-a.dev/api/v1/operators/

# [-] Write - Blocked (401)
curl -X POST https://xenohuru.cleven.is-a.dev/api/v1/operators/ \
  -H "Content-Type: application/json" \
  -d '{"name":"Fake Company"}'

# [x] Read - Works
curl https://xenohuru.cleven.is-a.dev/api/v1/operators/ \
  -H "Authorization: Bearer <token>"

# [-] Write - Blocked (403)
curl -X POST https://xenohuru.cleven.is-a.dev/api/v1/operators/ \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name":"My Company"}'

# [x] Read - Works
curl https://xenohuru.cleven.is-a.dev/api/v1/operators/ \
  -H "Authorization: Bearer <admin_token>"

# [x] Write - Works
curl -X POST https://xenohuru.cleven.is-a.dev/api/v1/operators/ \
  -H "Authorization: Bearer <admin_token>" \
  -H "Content-Type: application/json" \
  -d '{"name":"Verified Company", ...}'

1. Verified User Submissions

   • Allow verified tour operators to update their own profiles
   • Require admin approval for changes
   • Email notifications for approval/rejection

2. Public Contribution System

   • Users can suggest attraction edits
   • Stored in moderation queue
   • Admin reviews and approves changes

3. Rate Limiting

   • Prevent API abuse
   • Throttle excessive requests
   • Protect against DDoS

4. Reputation System

   • Track user behavior
   • Ban abusive users
   • Whitelist trusted partners

Security Concerns: **********
Business Listings: **********
General Support: **********

Last Updated: 2026-03-19
Policy Version: 1.0