Do not use meeting/user_ids anymore

[ostcar]

We have the definition, that a user is in a meeting, if he is in a group of a meeting: https://github.com/OpenSlides/OpenSlides/wiki/Users#user-association-to-meetings

Currently we have the field meeting/user_ids. It contains all user ids, that at least in one group of the meeting.

This field has a problem. It is not of type relation-list. So it is not restricted. This means, if a requestuser can see only some users of the meeting, he still gets all user-ids of this meeting. You can test this, when you have a requestuser that has not the permission user.can_see and visit the meeting list or the commitee detail view.

The solution is easy. Do not use this field but calculate it. To calculate it, you have to fetch meeting/group_ids/user_ids:

{
    "collection": "meeting",
    "ids": [
        1
    ],
    "fields": {
        "group_ids": {
            "type": "relation-list",
            "collection": "group",
            "fields": {
                "user_ids": null
            }
        }
    }
}

Then the user_ids of all fields have to be merged.

When you do it like this, the restricter removes the user_ids, that the request-user is not allowed to see.

After this is done in the client (and other services), the field can be removed in the backend.

[ostcar]

@emanuelschuetze also asks (he is sitting next to me), that the participant number in the meeting list view and committee detail view should be removed, when the request-user does not have the permission user.can_see.

[bastianjoel]

I will include this in #2097

[rrenkert]

@bastianjoel Can we close here?

[bastianjoel]

No

[rrenkert]

A small hint why the answer is "no" would be nice. Is this not included in the already merged #2097?

[bastianjoel]

No it is not included. I had some concerns about this and thought it might be better to test this separately.