[BUDI-7623] "Manage Roles" on the User table is not useful

[mjashanks]

The Users table has the option to Manage Roles, just like any other table.

This works. When I set Read = Power and try to access as Basic, I am prevented.

However, it seems like every app makes an initial call to /api/row/ta_users - presumably so it can be used for enriching users bindings? This causes an error on in the app, if Read access is restricted on the user table.

So, currently, it makes no sense to be able to restrict read access to the user table.

However, I do think that it makes sense for every logged in user to have a list of all the other users in the app. It would also be nice to restrict access to the user table, to stop everyone from seeing other user meta-data (i.e. custom columns).

I suggest that we have 2 separate endpoints:

• GET /api/rows/ta_users - which should work as is, no changes. gives the ability for allowed users to see the whole table.
• GET /api/users - which every logged in user has access to. This only returns a static set of fields - e.g. FirstName, LastName, _id and maybe Email. The client lib should call this one by default. I get that this may also have repercussions for Current User.Relationship things.

Originally from discussion: https://github.com/Budibase/budibase/discussions/3368#discussioncomment-1658137

_BUDI-7623

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity.