Closed nirajacharya2 closed 10 months ago
This is an admin route. Needs admin permissions.
@micbar how should a user then be able to share? For sharing a user needs ids of other user/groups
Good question.
@butonic we need a user search like on ocs, where you can start typing and get users/groups back.
And then we need to change getUsers
and getGroups
in the PHP SDK to use that user search, or create new functions
@butonic we need a user search like on ocs, where you can start typing and get users/groups back.
@micbar get graph/v1.0/users?$search=searchterm
already allows that ($filter
as well to some extent). I guess we mainly need to carefully define which attributes a "normal" user is allowed to see from other users. (And then lift the AdminOnly
protection on that endpoint)
Yes, from the usage (in the PHP SDK) that would be preferable, any user can query the endpoint, some get more some get less data.
Basic plan:
graph/v1.0/users
route$select
parameter (either not implemented right now, or I don't know how to make it work)
(*) Based on the user model in the libre-graph-api-go repo, I think we can use just the Id
, DisplayName
and Mail
. The Surname
and GivenName
might be ok to be public, but I don't think they'll be useful.
Note that queries, filters and other stuff will remain without changes. In particular, regular users might still filter users by specific roles, or list users from any group (we'll likely need to implement additional restrictions to prevent this)
We need to make sure that we get this in before friday (feature freeze).
I've uploaded code into the "normal_user_list" branch. Code changes can be seen in https://github.com/owncloud/ocis/compare/normal_user_list
That should cover points 1 and 2. The select can be considered as hardcoded right now, so it will only show the id, displayname and the mail of the users regardless of what the user has requested (it needs additional work).
Note that specific filters for the regular users still needs to be implemented. Right now, any user can list every user in the system.
@jvillafanez I think you plan looks great just a few comments:
Basic plan:
1. Remove the "require admin" restriction from the `graph/v1.0/users` route 2. Check whether the user in the reva context (which I guess is the user making the request) has the admin role.
Instead of just checking for the admin role I think it would be better to check if the user's role assigment has the Account Management
permission. The Admin role check was a crutch for the beginning IMO.
Also we should restrict "normal" user to queries that contain a $search
parameter of a certain length (e.g. at least 3 characters). All other queries ($filter, $expand, ...) should be forbidden for now IMO.
3. Implement the `$select` parameter (either not implemented right now, or I don't know how to make it work)
It's not implemented. But I don't think we need it currently.
3. If the user does NOT have the admin role and no "select" is being used, then show only the relevant attributes (to be decided which ones (*))
:point_up: This is the part we need IMO.
(*) Based on the user model in the libre-graph-api-go repo, I think we can use just the
Id
,DisplayName
andSurname
andGivenName
might be ok to be public, but I don't think they'll be useful.
:+1:
Note that queries, filters and other stuff will remain without changes. In particular, regular users might still filter users by specific roles, or list users from any group (we'll likely need to implement additional restrictions to prevent this)
All of this should stay limited to users with the Account Management
permission for now IMO. As said above the only thing we should allow for unprivileged user is querys of the type graph/v1.0/users?$search=searchterm
Unless I've missed something, it should be done:
I'll try to add some tests and make the "official" PR.
Unless I've missed something, it should be done:
* No changes for people with account management permissions (mostly admins I guess) * Regular users will have the following limitations: * Only "id", "displayName" and "mail" will be shown per user. * "$search" option MUST be present in the query, with at least 3 characters * "$filter", "$apply", "$expand" and "$compute" options aren't allowed * "$select" option is currently ignored for anyone.
I'll try to add some tests and make the "official" PR.
Yes. That is the minimal stuff that's needed for the sharing NG story. We can think about how we add all the other bells and whistles later.
done.
Describe the bug
when listing the users as a normal user like
marie
it gives401
https://owncloud.dev/libre-graph-api/#/users/ListUsersSteps to reproduce
response:
Expected behavior
marie
should get the list of usersActual behavior
marie
gets deniedSetup
Please describe how you started the server and provide a list of relevant environment variables or configuration files.
```console OCIS_XXX=master ```
Additional context
Add any other context about the problem here.