feat: Add public event listing REST API endpoint

[OsauravO]

Summary

Fixes #2772

Adds a new read-only REST API endpoint at GET /api/v1/events/ that allowsunauthenticated users to browse public, live events. Previously, theEventViewSet at /api/v1/organizers/{organizer}/events/ returned 403 for
unauthenticated requests, even though the same event data was publicly visibleon the HTML start page.

Changes

• app/eventyay/api/serializers/event.py — Added PublicEventSerializerwith a limited set of public-safe fields (name, slug, organizer, dates,location, currency, geo coordinates, has_subevents). Sensitive fields like plugins, sales_channels, meta_data, seating_plan, and valid_keys are excluded.

• app/eventyay/api/views/event.py — Added PublicEventFilter (search by name, filter by organizer/past/future) and PublicEventViewSet (read-only, no authentication required). The queryset filters for live=True, is_public=True, and excludes test-mode events.

• app/eventyay/api/urls.py — Registered the new viewset at /api/v1/events/.

API

Method	Endpoint	Auth	Description
GET	/api/v1/events/	None	List public events (paginated)
GET	/api/v1/events/{slug}/	None	Single event detail

Query parameters: ?q= (name search), ?organizer= (filter by slug),
?is_future=true/false, ?is_past=true/false, ?has_subevents=true/false,
?ordering=date_from / -date_from / name / slug

Example response:

{
  "count": 1,
  "next": null,
  "previous": null,
  "results": [
    {
      "name": {"en": "Test Conference 2026"},
      "slug": "testevent",
      "organizer": "testorg",
      "date_from": "2026-04-05T15:42:36.239375Z",
      "date_to": "2026-04-07T15:42:36.239382Z",
      "location": null,
      "currency": "USD",
      "has_subevents": false,
      "geo_lat": null,
      "geo_lon": null
    }
  ]
}

Summary by Sourcery

Add a public, read-only REST endpoint to list and retrieve live public events by slug.

New Features:

• Expose a /api/v1/events/ endpoint that lets unauthenticated users list and view public, live events by slug using a restricted public serializer.

Enhancements:

• Introduce a dedicated PublicEventSerializer and filter set to expose only non-sensitive event fields with basic search, filtering, and ordering options via the new endpoint.

[sourcery-ai]

Reviewer's Guide

Adds a new unauthenticated, read-only REST endpoint /api/v1/events/ exposing a restricted public view of live, public events with filtering, search, ordering, and slug-based detail retrieval, implemented via a dedicated serializer, filterset, and viewset wired into the main API router.

Sequence diagram for public events listing API request

sequenceDiagram
    actor Client
    participant Router
    participant PublicEventViewSet
    participant PublicEventFilter
    participant EventModel
    participant PublicEventSerializer

    Client->>Router: GET /api/v1/events/?q=conf&organizer=testorg&is_future=true
    Router->>PublicEventViewSet: dispatch list
    activate PublicEventViewSet

    PublicEventViewSet->>PublicEventViewSet: get_queryset()
    PublicEventViewSet->>EventModel: filter(live=True, is_public=True)
    EventModel-->>PublicEventViewSet: base_queryset
    PublicEventViewSet->>EventModel: exclude(testmode=True)
    EventModel-->>PublicEventViewSet: filtered_queryset

    PublicEventViewSet->>PublicEventFilter: apply filters(q, organizer, is_future, is_past, has_subevents)
    activate PublicEventFilter
    PublicEventFilter->>EventModel: search_qs(name__icontains=q)
    EventModel-->>PublicEventFilter: queryset
    PublicEventFilter->>EventModel: is_future_qs(now_based_expression)
    EventModel-->>PublicEventFilter: queryset
    PublicEventFilter-->>PublicEventViewSet: filtered_queryset
    deactivate PublicEventFilter

    PublicEventViewSet->>PublicEventSerializer: serialize(paginated_queryset, many=True)
    PublicEventSerializer-->>PublicEventViewSet: response_data
    deactivate PublicEventViewSet

    PublicEventViewSet-->>Client: 200 OK (paginated public event list)

Loading

Class diagram for public events API components

classDiagram
    class Event {
        +UUID id
        +string slug
        +string name
        +bool live
        +bool is_public
        +bool testmode
        +bool has_subevents
        +datetime date_from
        +datetime date_to
        +string location
        +string currency
        +float geo_lat
        +float geo_lon
    }

    class I18nAwareModelSerializer {
    }

    class PublicEventSerializer {
        +organizer SlugRelatedField
        +Meta meta
    }

    class PublicEventSerializer_Meta {
        +model Event
        +fields name, slug, organizer, date_from, date_to,
        +fields location, currency, has_subevents, geo_lat, geo_lon
        +read_only_fields fields
    }

    class FilterSet {
    }

    class PublicEventFilter {
        +BooleanFilter is_past
        +BooleanFilter is_future
        +CharFilter organizer
        +CharFilter q
        +Meta meta
        +is_past_qs(queryset, name, value) QuerySet
        +is_future_qs(queryset, name, value) QuerySet
        +search_qs(queryset, name, value) QuerySet
    }

    class PublicEventFilter_Meta {
        +model Event
        +fields has_subevents
    }

    class GenericViewSet {
    }

    class ListModelMixin {
    }

    class RetrieveModelMixin {
    }

    class PublicEventViewSet {
        +serializer_class PublicEventSerializer
        +queryset QuerySet
        +permission_classes AllowAny
        +authentication_classes empty_tuple
        +lookup_field slug
        +filter_backends DjangoFilterBackend, OrderingFilter
        +ordering date_from
        +ordering_fields date_from, name, slug
        +filterset_class PublicEventFilter
        +get_queryset() QuerySet
    }

    class AllowAny {
    }

    class DjangoFilterBackend {
    }

    class OrderingFilter {
    }

    PublicEventSerializer --|> I18nAwareModelSerializer
    PublicEventSerializer_Meta --|> PublicEventSerializer
    PublicEventFilter --|> FilterSet
    PublicEventFilter_Meta --|> PublicEventFilter
    PublicEventViewSet --|> GenericViewSet
    PublicEventViewSet --|> ListModelMixin
    PublicEventViewSet --|> RetrieveModelMixin
    PublicEventViewSet --> PublicEventSerializer : uses
    PublicEventViewSet --> PublicEventFilter : uses
    PublicEventViewSet --> AllowAny : permission_classes
    PublicEventViewSet --> DjangoFilterBackend : filter_backends
    PublicEventViewSet --> OrderingFilter : filter_backends
    PublicEventFilter --> Event : filters
    PublicEventSerializer --> Event : model
    EventModel <|-- Event

Loading

File-Level Changes

Change	Details	Files
Introduce a dedicated public event serializer exposing only non-sensitive event fields for the new endpoint.	Create PublicEventSerializer as an I18n-aware model serializer bound to Event Expose only safe fields such as name, slug, organizer slug, dates, location, currency, geo coordinates, and has_subevents Mark all serializer fields as read-only to enforce read-only semantics	app/eventyay/api/serializers/event.py
Add a read-only PublicEventViewSet with filtering, search, and ordering for public, live, non-test events, addressable by slug.	Define PublicEventFilter to support boolean past/future filters, organizer slug filter, name search, and has_subevents field filtering using explicit date range expressions Create PublicEventViewSet combining GenericViewSet with List/Retrieve mixins, using AllowAny permissions and no authentication Configure queryset to return only live, public, non-test events and select_related organizer for efficiency Enable DjangoFilterBackend and OrderingFilter with default ordering by date_from and allow ordering by date_from, name, or slug Use slug as the lookup field so individual events can be retrieved via /api/v1/events/{slug}/	app/eventyay/api/views/event.py
Expose the new public events API at a top-level REST route.	Register PublicEventViewSet on the default router under the events prefix with basename public-events Ensure the new public listing does not interfere with existing organizer-scoped EventViewSet routes	app/eventyay/api/urls.py

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#2772	Provide a REST API endpoint that allows unauthenticated users to list publicly visible events that are currently exposed on the HTML start page.	✅
#2772	Ensure the public events API only exposes appropriate public event data (live, public events; excludes test events; no sensitive fields).	✅

Possibly linked issues

• Bug: Public events visible on start page but inaccessible via REST API for unauthenticated users #2772: PR adds a public, unauthenticated events endpoint, providing the missing JSON access described in the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• The PublicEventFilter duplicates is_past_qs/is_future_qs logic already present in EventFilter; consider extracting the shared date-range predicates into a reusable helper or base class to keep this logic consistent and easier to maintain.
• In PublicEventViewSet, you might want to reuse any existing search behavior (e.g., i18n-aware name search or slug search) instead of name__icontains only, so that the public listing behaves consistently with other event search endpoints.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `PublicEventFilter` duplicates `is_past_qs`/`is_future_qs` logic already present in `EventFilter`; consider extracting the shared date-range predicates into a reusable helper or base class to keep this logic consistent and easier to maintain.
- In `PublicEventViewSet`, you might want to reuse any existing search behavior (e.g., i18n-aware name search or slug search) instead of `name__icontains` only, so that the public listing behaves consistently with other event search endpoints.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

Adds a new public, unauthenticated REST API surface for browsing public, live events, complementing the existing organizer-scoped (authenticated) events API.

Changes:

• Introduces PublicEventSerializer to expose a restricted, public-safe subset of Event fields.
• Adds PublicEventViewSet + PublicEventFilter to provide read-only list/retrieve with filtering/ordering for public events.
• Registers the new viewset under /api/v1/events/.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
app/eventyay/api/views/event.py	Adds the new public viewset + filter and public-event queryset selection.
app/eventyay/api/serializers/event.py	Adds a restricted serializer for public event exposure.
app/eventyay/api/urls.py	Registers /api/v1/events/ route via the DRF router.

[Sak1012]

Thanks for the effort. Closing this PR because we do not want to introduce unauthenticated REST endpoints for event data. It is preferred to keep API access under a consistent authenticated model instead of exposing a parallel public API, even for fields that are already visible in the frontend. Public page visibility and public API access are not the same product decision, and the latter carries a larger longterm maintenance and compatibility burden.

[OsauravO]

@Sak1012

Thanks for review, understood, that makes sense. I will keep this in mind for future contributions.