The GET /users and GET /users/{id} endpoints both require admin permissions, but we need ordinary users to have access to them so the frontend can validate usernames. Also these endpoints return password hashes, which is bad.
Change GET /users and GET /users/{id} to require regular user permissions instead of admin permissions.
Make sure password_hash is not returned in the response.
Update the swagger documentation so the password field is no longer included.
The auth decorator in auth.py is what handles user authentication. The relevant views are defined in users.py.
The
GET /usersandGET /users/{id}endpoints both require admin permissions, but we need ordinary users to have access to them so the frontend can validate usernames. Also these endpoints return password hashes, which is bad.GET /usersandGET /users/{id}to require regular user permissions instead of admin permissions.password_hashis not returned in the response.passwordfield is no longer included.The
authdecorator inauth.pyis what handles user authentication. The relevant views are defined inusers.py.