API V3: use a restricted serializer for when showing org info from a project (#11732)

* API V3: use a restricted serializer for when showing org info from a project

If a project is public, we don't want to show
the organization information, but it can still be useful
to see which organization the project belongs to.

* Linter

Author: stsewd

readthedocs/api/v3/serializers.py

@@ -806,10 +806,12 @@ class Meta:
                     "many": True,
                 },
             ),
-            # NOTE: we use a serializer without expandable fields to avoid
-            # leaking information about the organization through the project.
+            # NOTE: we use a different serializer with just a subset of fields
+            # to avoid leaking information about the organization through a public project.
+            # Users can use the /api/v3/organizations/ endpoint to get more information
+            # about the organization.
             "organization": (
-                "readthedocs.api.v3.serializers.OrganizationSerializer",
+                "readthedocs.api.v3.serializers.RestrictedOrganizationSerializer",
                 # NOTE: we cannot have a Project with multiple organizations.
                 {"source": "organizations.first"},
             ),
@@ -1209,6 +1211,26 @@ class Meta:
         )
 
 
+class RestrictedOrganizationSerializer(serializers.ModelSerializer):
+
+    """
+    Stripped version of the OrganizationSerializer to be used when listing projects.
+
+    This serializer is used to avoid leaking information about the organization through a public project.
+    Instead of checking if user has access to the organization, we just show the name and slug.
+    """
+
+    _links = OrganizationLinksSerializer(source="*")
+
+    class Meta:
+        model = Organization
+        fields = (
+            "name",
+            "slug",
+            "_links",
+        )
+
+
 class RemoteOrganizationSerializer(serializers.ModelSerializer):
     class Meta:
         model = RemoteOrganization