API Returns Fields that should only be Accessible to Logged in Users with Specific Roles

[lunamoonmoon]

Problem Description **In order to protect fields that are meant to be for certain logged in user roles, we need to determine which fields are needing protection and are currently being sent to the frontend for non-logged in users when they shouldn't be.

Solution Needs

• Filter fields on the backend instead of the frontend (ex. v-if functions)

Timebox

• How much effort are we committing to this research?

Outcome Details describing the outcome of the research

• Find fields that are currently exposed and need backend queries
• Determine queries needed
• Create tickets for these

Additional Context

[raarielgrace]

Currently, unpublished wells and aquifers are filtered on the FE in:

• AquiferMap.vue
• SingleAquiferMap.vue
• src/common/mapbox/layers.js
• RegistryMap.vue
• SearchMap.vue

The data for these calls isn't processed by the API, it's fetched from an endpoint for a specific pbf file. This url is defined in the code with vectorTileServerUrl. New endpoints will need to be added to the API so that the private data can be filtered out in the BE.

The other instance of showing/not showing data based on roles is in the surveys endpoint, which is already filtered in the BE.

Most of the other instances of checking user roles have to do with allowing certain actions, like bulk edits, adding new elements, etc. If we were being really thorough, we would make sure that POST calls from non-authorized users are rejected. Not sure if we do that everywhere or not. Would require another spike ticket.