Non-admin users cannot safely find users by facility_id on > cht-core v4.4

[kennsippell]

This tool needs to find a list of users by their facility_id. To "replace" an existing user, we need to find the users which are linked to a place. Currently, we do this with disableUsersByPlace but this isn't working for non-admin users.

Three issues combine to make this issue quick sticky:

• Non-admin users (users with mm-online role) get a 403 unauthorized when running the _users/_find query currently in use. Access to the _users database is for admins only after CHT 4.4's upgrade of CouchDB.
• The GET /api/v2/users API endpoint doesn't support looking up users by facility_id https://github.com/medic/cht-core/issues/8877
• It isn't safe to run /api/v2/users to fetch all users and filter it in memory by facility_id https://github.com/medic/cht-core/issues/8689

This blocks "replace user" scenarios for devolved user management. cc @freddieptf

[kennsippell]

Options:

1. Fix https://github.com/medic/cht-core/issues/8877 and upgrade to 4.7. This only affects CHT-Core 4.4 or later. We have some time since KE is on 4.2 and 4.3. UG is on 4.2.4. This could block upgrade. The cht-user-management tool could potentially not even support CHT 4.4.x to 4.6.x.
2. Backport fix for https://github.com/medic/cht-core/issues/8877 or https://github.com/medic/cht-core/issues/8689 to 4.2.x and patch
3. Modify _users/_security doc to permit access to the user_manager role. This also requires this update to couch.ini.

cc @mrjones-plip for input. This could potentially block CHIS upgrades.

[mrjones-plip]

This could potentially block CHIS upgrades

thanks for the heads up! Let's see if the work around proposed in the ticket is viable and go from there.

I'll be keeping an eye out for updates!

[mrjones-plip]

Great to see the ddoc work around is deployed!

Note that https://github.com/medic/cht-core/issues/8877 is under way and will be released in CHT 4.7.0

[kennsippell]

Reactivating due to https://github.com/medic/cht-user-management/issues/115

[mrjones-plip]

@kennsippell - are you able to reproduce this in a dev environment? I wonder if using the new users API going to be released in 4.7 would be a solution? If you can reproduce it in a dev environment, then we could try using the branch images on 8877-lookup-single-user to see if the new API fixes the timeout.

I know that the new API PR isn't final and there were maybe some performance concerns, but the build is green, so the images have published! If this does end up being a fix, then we'd be happy to do a FR to use in production which will take a lot less time than 4.7 proper.

cc @jkuester @m5r

[kennsippell]

@mrjones-plip Yep. We will try it out. https://github.com/medic/cht-user-management/issues/114 Means cht-user-management wont work with cht-core 4.4 to 4.6.

[m5r]

The two users APIs GET /api/v2/users/:username and GET /api/v2/users?{facility_id,contact_id}= have been merged to cht-core master and will be part of the 4.7.0 release

https://github.com/medic/cht-core/pull/9016 https://github.com/medic/cht-core/pull/8928

And their documentation is already out: https://docs.communityhealthtoolkit.org/apps/reference/api/#get-apiv2users https://docs.communityhealthtoolkit.org/apps/reference/api/#get-apiv2usersusername

[kennsippell]

@m5r That's great! Thanks.

There are 4 eCHIS Kenya instances running cht-core 4.4 or 4.5. I don't know how that happened, but I can't downgrade them to 4.3.1 to get them working with cht-user-management. And it is a bunch of work to get this working for those instances.

If we backport your changes to 4.6.x, then I will push to upgrade all eCHIS instances to 4.6.x instead of 4.3.1 in these tickets https://github.com/moh-kenya/config-echis-2.0/issues/2096. I can't guarantee an upgrade, but it is a shot at a very large number of cht-core upgrades (47+ instances and majority of CHT core users).