Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BREAK] Always remove the field services from user data responses in REST API #10799

Merged
merged 5 commits into from
Jun 20, 2018
Merged

[BREAK] Always remove the field services from user data responses in REST API #10799

merged 5 commits into from
Jun 20, 2018

Conversation

MarcosSpessatto
Copy link
Member

No description provided.

@MarcosSpessatto MarcosSpessatto self-assigned this May 17, 2018
@engelgabriel engelgabriel temporarily deployed to rocket-chat-pr-10799 May 17, 2018 16:54 Inactive
@engelgabriel engelgabriel temporarily deployed to rocket-chat-pr-10799 May 17, 2018 18:16 Inactive
graywolf336
graywolf336 previously requested changes May 17, 2018
View reviewed changes
Copy link
Contributor

@graywolf336 graywolf336 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please change this to breaking, as it heavily breaks the response we've been returning for a long time now.

packages/rocketchat-api/server/helpers/parseJsonQuery.js Outdated
@@ -1,4 +1,7 @@
RocketChat.API.helperMethods.set('parseJsonQuery', function _parseJsonQuery() {
const VIEW_FULL_USER_FIELDS_TO_EXCLUDE = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't define this every time the call happens, move it outside.

@engelgabriel engelgabriel temporarily deployed to rocket-chat-pr-10799 May 17, 2018 18:51 Inactive
@MarcosSpessatto MarcosSpessatto changed the title [FIX] Remove sensitive user data from response, even if the user is admin [BREAK] Remove sensitive user data from response, even if the user is admin May 17, 2018
@graywolf336 graywolf336 dismissed their stale review May 18, 2018 04:29

Changes made.

@marceloschmidt
Copy link
Member

@rodrigok @graywolf336 @MarcosSpessatto what's the status on this? we need to get it merged... has the mobile team been informed of the breaking change?

@geekgonecrazy
Copy link
Contributor

@RocketChat/android @RocketChat/ios just in case not on radar.

cardoso
cardoso reviewed May 29, 2018
View reviewed changes
packages/rocketchat-api/server/helpers/parseJsonQuery.js Outdated
@@ -52,8 +60,12 @@ RocketChat.API.helperMethods.set('parseJsonQuery', function _parseJsonQuery() {
// Verify the user has permission to query the fields they are
if (typeof query === 'object') {
let nonQuerableFields = Object.keys(RocketChat.API.v1.defaultFieldsToExclude);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"nonQueryable"

@cardoso
Copy link
Contributor

cardoso commented May 29, 2018

@geekgonecrazy @marceloschmidt @MarcosSpessatto @graywolf336 this doesn't break anything for us

@MarcosSpessatto MarcosSpessatto added this to the 0.66.0 milestone Jun 5, 2018
ggazzo
ggazzo previously requested changes Jun 12, 2018
View reviewed changes
Copy link
Member

@ggazzo ggazzo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please see the comments

packages/rocketchat-api/server/helpers/parseJsonQuery.js Outdated
if (!RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') && this.request.route.includes('/v1/users.')) {
nonSelectableFields = nonSelectableFields.concat(Object.keys(RocketChat.API.v1.limitedUserFieldsToExclude));
if (this.request.route.includes('/v1/users.')) {
if (RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info')) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you think

	...
	const getFields = () => Object.keys(RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') ? RocketChat.API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser : RocketChat.API.v1.limitedUserFieldsToExclude);
	nonSelectableFields = nonSelectableFields.concat(getFields());
	...

@marceloschmidt
Copy link
Member

Can we merge this yet?

@MarcosSpessatto
Copy link
Member Author

@ggazzo what do you think?

@rodrigok rodrigok changed the title [BREAK] Remove sensitive user data from response, even if the user is admin [BREAK] Always remove the field services from user data responses Jun 20, 2018
@rodrigok rodrigok changed the title [BREAK] Always remove the field services from user data responses [BREAK] Always remove the field services from user data responses in REAT API Jun 20, 2018
@rodrigok rodrigok changed the title [BREAK] Always remove the field services from user data responses in REAT API [BREAK] Always remove the field services from user data responses in REST API Jun 20, 2018
@rodrigok rodrigok merged commit c53fa4d into develop Jun 20, 2018
@rodrigok rodrigok deleted the fix/rest-user-fields-returned branch June 20, 2018 21:55
@rodrigok rodrigok mentioned this pull request Jun 28, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cardoso cardoso cardoso left review comments

@rodrigok rodrigok rodrigok approved these changes

@graywolf336 graywolf336 graywolf336 left review comments

@ggazzo ggazzo ggazzo left review comments

Assignees

@MarcosSpessatto MarcosSpessatto

Labels
feat: api feat: rest
Projects
None yet
Milestone
0.66.0
Development

Successfully merging this pull request may close these issues.
8 participants
@MarcosSpessatto @marceloschmidt @geekgonecrazy @cardoso @rodrigok @graywolf336 @ggazzo @engelgabriel