Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Normal user list #7887

Merged
merged 10 commits into from
Dec 7, 2023
Merged

feat: Normal user list #7887

merged 10 commits into from
Dec 7, 2023

Conversation

jvillafanez
Copy link
Member

Description

Allow regular users to list other users.

People with account management permissions (such as admins) can list users as they have been until now. This PR won't affect them in any way.

Regular users (without account management permission) can list users with the following restrictions:

  • Only "id", "displayName" and "mail" attributes will be shown per user.
  • "$search" option MUST be present in the query, with at least 3 characters
  • "$filter", "$apply", "$expand" and "$compute" options aren't allowed

Related Issue

#7782

Motivation and Context

How Has This Been Tested?

Manually tested.
Unit tests have been adjusted because some of them where failing due to the user not having enough permissions

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:

@update-docs Update Docs
Copy link

update-docs bot commented Dec 5, 2023

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

AlexAndBear
AlexAndBear suggested changes Dec 5, 2023
View reviewed changes
Copy link
Contributor

@AlexAndBear AlexAndBear left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please add a test to validate that only the minimal set of id,displayName and mail is present if the regular user is requesting the users endpoint ?

@rhafer
Copy link
Contributor

rhafer commented Dec 6, 2023

I took over here as @jvillafanez can't currently work it.

@rhafer
Copy link
Contributor

rhafer commented Dec 6, 2023

Could you please add a test to validate that only the minimal set of id,displayName and mail is present if the regular user is requesting the users endpoint ?

@janackermann done. Please re-review

@rhafer rhafer requested a review from AlexAndBear December 6, 2023 10:34
AlexAndBear
AlexAndBear approved these changes Dec 6, 2023
View reviewed changes
Copy link
Contributor

@AlexAndBear AlexAndBear left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💪

micbar
micbar approved these changes Dec 6, 2023
View reviewed changes
Copy link
Contributor

@micbar micbar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One change request, rest looks fine.

services/graph/pkg/service/v0/users.go Outdated Show resolved Hide resolved
@micbar micbar mentioned this pull request Dec 6, 2023
Open
22 tasks
@micbar
Copy link
Contributor

micbar commented Dec 6, 2023

Some getUser tests are failing.

@rhafer
Copy link
Contributor

rhafer commented Dec 6, 2023

Some getUser tests are failing.

Should be fixed now. I took the chance to also add the group search here now as well.

@rhafer rhafer requested a review from micbar December 6, 2023 13:10
jvillafanez and others added 10 commits December 6, 2023 15:39
@jvillafanez @rhafer
feat: list users as regular user
6a468bb
@jvillafanez @rhafer
test: fix unit tests
28b3d86
@jvillafanez @rhafer
chore: add changelog entry
1281c9f
@rhafer
graph/users: Use a full substring filter of user search
7b12677 
Previously we only did a prefix match.
@rhafer
graph/users: Add unittests for unprivileged user search
3b3f63a
@rhafer
graph/users: Return 'userType' for request from unprivileged users
05f2c9b
@rhafer
graph/users: clarify changelog
e6abcaa
@rhafer
graph/users: Make minimum search term length configurable
498769f
@rhafer
graph/users: Fix http status codes for unprivileged requests
09c59f3 
Neither 'BadRequest' (as expected in the unit test) nor 'Unauthorized' (as expected
in the API tests) seem correct here. We're no returning 'Forbidden' when an unprivileged
users issues a GetUsers request that it is not allowed to perform.
@rhafer
graph/groups: Allow unprivileged users to search for groups
5193c4b
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Dec 6, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

78.8% 78.8% Coverage
11.8% 11.8% Duplication

@rhafer rhafer merged commit 1ace257 into master Dec 7, 2023
3 checks passed
@delete-merged-branch delete-merged-branch bot deleted the normal_user_list branch December 7, 2023 09:21
@micbar micbar mentioned this pull request Dec 12, 2023
Merged
12 tasks
@ScharfViktor ScharfViktor mentioned this pull request Dec 15, 2023
Closed
@ScharfViktor
Copy link
Contributor

Only "id", "displayName" and "mail" attributes will be shown per user.

we can bug where we can get full info about user #5125

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhafer rhafer rhafer left review comments

@AlexAndBear AlexAndBear AlexAndBear approved these changes

@micbar micbar micbar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jvillafanez @rhafer @micbar @ScharfViktor @AlexAndBear