Return only user properties when actually needed #138
Comments
|
I think that the user e-mail addresses should only be displayed when the user has explicitly turned on an option to display the e-mail address on his / her profile. By default it should not show e-mail addresses. |
|
Why return all this info if you can only return an id? or secret id? then only users with rights to view the user's data can get it in another request. |
Brend-Smits
added
the
priority
|
I agree in the public private option. The main reason for this is that when you cannot search for a user who wants to be searchable( think of a teacher account) it gets harder to find certain projects. If teacher a creates application a,b,c and he wants the class to use them as an example it would be easy if the class could search teachers name and find all three. |
You can still search on (user) name perhaps? We can include the email addresses if the user opted in to show email publically. |
We need to be careful with returning users when requesting for example all projects. I recommend we look into all endpoints and check carefully what we are returning. In some cases only an ID would be sufficient to return, in others we do need a name.
I noticed we are returning email addresses when calling 'Get all projects" or "Project Detail" page.
There might be more endpoints that are accessible by Guests / Registered users that are able to get information that they should not be able to see so easily.
What needs to be done?
Might need to discuss this a little bit more, perhaps Guests should not be able to see the user's email and Registered users should be able to? Github has a setting for this in the profile section where you can control who sees your email (guest vs registered users). What does @DigitalExcellence/backend think?
The text was updated successfully, but these errors were encountered: