Oncall persons missing in schedule for non admin users in large installations

[dmitry-tiger]

Non admin users can't view people who is not on the first users page (/api/internal/v1/users/?page=1&search=) because oncall plugin sends requests for each missing person (/api/internal/v1/users/) which leads to error 403 "You do not have permission to perform this action." It happens because only admins or owner has permission retrieve user in user view

How to reproduce

• Add more than one page users to grafana (100 by default) or change pagination to less
• Add user to schedule which is not from first "users" page to schedule
• Open schedule by non admin user

[thomasmitchell]

I am also running into this issue. Some more information about this I've found is that, even as an admin user, the page normally only fetches the first page of users. Additionally, the api/plugin-proxy/grafana-oncall-app/api/internal/v1/schedules/S7EVLEB5YRQ7C/next_shifts_per_user endpoint called on this page returns null for any users not on the first page of users.

A workaround... sorta... that I've found for folks affected by this is that because of the internal caching in the plugin, users can go to the second page of the users tab before navigating to this schedule, and they will be able to see those users in the schedule.

[sajad-sadra]

I still have this problem. the user must be admin in organization to see the the other oncall name and information in schedule. even team admins cannot see their team oncall schedule correctly.

grafana version: 9.5.5 oncall version: v1.3.96 oncall plugin version: 1.3.100

the request that return 403 with response {"detail":"You do not have permission to perform this action."} is this in curl format:

curl 'https://grafana.xxx.yyy/api/plugin-proxy/grafana-oncall-app/api/internal/v1/users/U3MN2KRX1HFK8?from_organization=false' \
  -H 'authority: grafana.xxx.yyy' \
  -H 'accept: application/json, text/plain, */*' \
  -H 'accept-language: en-GB,en;q=0.9' \
  -H 'cache-control: no-cache' \
  -H 'cookie: grafana_session=8a2322f495f4a1ae2cf71315f4c1c596; grafana_session_expiry=1707122296; redirect_to=%2Fexplore' \
  -H 'pragma: no-cache' \
  -H 'referer: https://grafana.xxx.yyy/a/grafana-oncall-app/schedules/S8VPY2GH3Z8UT?p=1' \
  -H 'sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "Linux"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-origin' \
  -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' \
  --compressed