Return only user properties when actually needed #138
Labels
input wanted
Open to discussion, input wanted.
priority
Only assign this label if it's asked to assign this label
Projects
We need to be careful with returning users when requesting for example all projects. I recommend we look into all endpoints and check carefully what we are returning. In some cases only an ID would be sufficient to return, in others we do need a name.
I noticed we are returning email addresses when calling 'Get all projects" or "Project Detail" page.
There might be more endpoints that are accessible by Guests / Registered users that are able to get information that they should not be able to see so easily.
What needs to be done?
Might need to discuss this a little bit more, perhaps Guests should not be able to see the user's email and Registered users should be able to? Github has a setting for this in the profile section where you can control who sees your email (guest vs registered users). What does @DigitalExcellence/backend think?
The text was updated successfully, but these errors were encountered: