Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FIX] Users without the view-other-user-info permission can't use the users.list endpoint #26050

Merged
merged 9 commits into from
Jul 18, 2022
Merged

[FIX] Users without the view-other-user-info permission can't use the users.list endpoint #26050

merged 9 commits into from
Jul 18, 2022

Conversation

LucianoPierdona
Copy link
Contributor

@LucianoPierdona LucianoPierdona commented Jun 28, 2022
edited
Loading

Proposed changes (including videos or screenshots)

This PR fix the query when a normal users access users.list

Issue(s)

Closes: #25728

Steps to test or reproduce

Further comments

@LucianoPierdona LucianoPierdona self-assigned this Jun 28, 2022
@ggazzo
Copy link
Member

ggazzo commented Jun 28, 2022

now this is a break change

@LucianoPierdona LucianoPierdona changed the title [FIX] Prevent normal users to access users.list [BREAK] Prevent normal users to access users.list Jun 29, 2022
@LucianoPierdona LucianoPierdona marked this pull request as ready for review June 29, 2022 12:10
matheusbsilva137
matheusbsilva137 requested changes Jun 30, 2022
View reviewed changes
Copy link
Contributor

@matheusbsilva137 matheusbsilva137 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a better approach would be to update the defaultQuery in getNonEmptyQuery so that the emails.address field is included only for users with the view-full-other-user-info.
Also, we should add type to the defaultFields in the getNonEmptyFields function in order to support searches by type.

debdutdeb
debdutdeb requested changes Jul 2, 2022
View reviewed changes
Copy link
Member

@debdutdeb debdutdeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pr description is saying users need the view-user-administration permission, not seeing the check there (in the route options you can add permissionsRequired: ['view-user-administration'].

apps/meteor/app/api/server/lib/users.ts Outdated Show resolved Hide resolved
@LucianoPierdona
Copy link
Contributor Author

The pr description is saying users need the view-user-administration permission, not seeing the check there (in the route options you can add permissionsRequired: ['view-user-administration'].

@debdutdeb my bad, I forgot to update the description but this permission is not needed anymore, looks like the endpoint is going to be available for all users. @matheusbsilva137 can confirm.

@LucianoPierdona LucianoPierdona changed the title [BREAK] Prevent normal users to access users.list [BREAK] Fix query when normal users access users.list Jul 12, 2022
@matheusbsilva137 matheusbsilva137 changed the title [BREAK] Fix query when normal users access users.list [FIX] Users without the `view-other-user-info permission are unable to use users.list Jul 12, 2022
@matheusbsilva137 matheusbsilva137 changed the title [FIX] Users without the `view-other-user-info permission are unable to use users.list [FIX] Users without the view-other-user-info permission are unable to use users.list Jul 12, 2022
@matheusbsilva137 matheusbsilva137 changed the title [FIX] Users without the view-other-user-info permission are unable to use users.list [FIX] Users without the view-other-user-info permission can't use the users.list endpoint Jul 12, 2022
@nishant23122000
Copy link
Contributor

It's working fine.

@debdutdeb debdutdeb added stat: QA tested stat: ready to merge PR tested and approved waiting for merge and removed stat: needs QA labels Jul 16, 2022
@debdutdeb debdutdeb added this to the 5.0.0 milestone Jul 16, 2022
@ggazzo ggazzo merged commit b7012da into develop Jul 18, 2022
@ggazzo ggazzo deleted the fix/users-list-query branch July 18, 2022 16:55
@murtaza98 murtaza98 mentioned this pull request Jul 21, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ggazzo ggazzo ggazzo approved these changes

@debdutdeb debdutdeb debdutdeb approved these changes

@matheusbsilva137 matheusbsilva137 Awaiting requested review from matheusbsilva137

Assignees

@LucianoPierdona LucianoPierdona

Labels
squad: team-collab stat: QA tested stat: ready to merge PR tested and approved waiting for merge
Projects
None yet
Milestone
5.0.0
Development

Successfully merging this pull request may close these issues.

GET users.list broken for "normal" users
7 participants
@LucianoPierdona @ggazzo @nishant23122000 @matheusbsilva137 @debdutdeb @casalsgh @tassoevan