Current Behavior
If a user has Flarum permission "View user list" (soon to be renamed Search users) but not FoF Permission "View user directory", they still see the "Search all users for " in the search autocomplete
Steps to Reproduce
Set "View user list" permission to guests
Set "View user directory" permission to Admin
Search for any term in the global search bar
See link to directory
Expected Behavior
The link should not be visible since the user doesn't have access to the page
Screenshots
Environment
Flarum version: beta 16, probably 1.0 as well
Extension version: 0.6.2, probably dev-master as well
Possible solution(s)
Either we need to follow the same logic as the link to user directory page and use the existing app.forum.attribute('canSeeUserDirectoryLink'), or we need to introduce a new attribute either just based on the "View user directory" permission or maybe take the opportunity to introduce a new checkbox "Show link in search results" to match with the other link setting.
Additional Context
This is not a security issue. Hiding the user directory via "View user directory" permission is only effective if the "View user list" permission matches the value.
If the "View user list" permission allows broader access than "View user directory", then we must only hide references to the user list page for aesthetics purposes.
Clicking the link in the search results actually loads the page fine since there is no additional check client side to prevent access to the page. However it results in 404 error if refreshing since we implemented a page not found error in the backend. Again, for aesthetics since the data is always available from the REST API anyway.
Bug Report
Current Behavior If a user has Flarum permission "View user list" (soon to be renamed Search users) but not FoF Permission "View user directory", they still see the "Search all users for" in the search autocomplete
Steps to Reproduce
Expected Behavior The link should not be visible since the user doesn't have access to the page
Screenshots
Environment
Possible solution(s) Either we need to follow the same logic as the link to user directory page and use the existing
app.forum.attribute('canSeeUserDirectoryLink')
, or we need to introduce a new attribute either just based on the "View user directory" permission or maybe take the opportunity to introduce a new checkbox "Show link in search results" to match with the other link setting.Additional Context This is not a security issue. Hiding the user directory via "View user directory" permission is only effective if the "View user list" permission matches the value.
If the "View user list" permission allows broader access than "View user directory", then we must only hide references to the user list page for aesthetics purposes.
Clicking the link in the search results actually loads the page fine since there is no additional check client side to prevent access to the page. However it results in 404 error if refreshing since we implemented a page not found error in the backend. Again, for aesthetics since the data is always available from the REST API anyway.