Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: remove "view all users" from members#8447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed
Emyrk wants to merge6 commits intomainfromstevenmasley/no_read_user

Conversation

@Emyrk
Copy link
Member

@EmyrkEmyrk commentedJul 11, 2023
edited
Loading

Moved to#8650

What this does

Removes the rbac permission for users to read all other users on the site.

Closes#5002

Changes

Permission Changes

  • ResourceTypeUser now owned byuser_id of itself.
  • member couldread all Users -->member can read only themselves

Open issues to resolve

  • All templates fetch the creator name. This is no longer able to be read.

    funcgetCreatedByNamesByTemplateIDs(ctx context.Context,db database.Store,templates []database.Template) (map[string]string,error) {
    creators:=make(map[string]string,len(templates))
    for_,template:=rangetemplates {
    creator,err:=db.GetUserByID(ctx,template.CreatedBy)
    iferr!=nil {
    returnmap[string]string{},err
    }
    creators[template.ID.String()]=creator.Username
    }
    returncreators,nil
    }

    • Solution: Bothcreated_by andcreator_username is now omitted if the user cannot view the creator. Meaning they can see templates created by themselves. Admins can still view all users.

  • User counts are still being read

    • Solution: ImplementGetUsers with sql filter rather than filtering the returned list. Now all counts are counts of the readable users for any given caller.

  • Group members still return all users

  • If you grant a memberadmin on a template, they can see the permissions page. This page has a list of users/groups that can use/admin the template. Should this page show users they cannot read?

If omitted, the caller does not have permission to view said data
@EmyrkEmyrk changed the titlechore: add owner to resourceUser rbac objectfeat: remove "view all users" from membersJul 12, 2023
@kylecarbs
Copy link
Member

Solution: Both created_by and creator_username is now omitted if the user cannot view the creator. Meaning they can see templates created by themselves. Admins can still view all users

@Emyrk I think we should allow users to see who is creating and maintaining templates. It's a worse experience for the user to not see that... they'll have no action to take if something is broken.

@Emyrk
Copy link
MemberAuthor

@Emyrk I think we should allow users to see who is creating and maintaining templates. It's a worse experience for the user to not see that... they'll have no action to take if something is broken.

I paused this PR because there is a lot of cases like that. There is a call today about it and a thread in slack + a notion page.

Essentially this is trickier than anticipated, so I broke the functional components of this PR up into different PRs and will likely close this.

@EmyrkEmyrk closed thisJul 18, 2023
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsJul 18, 2023
@EmyrkEmyrk deleted the stevenmasley/no_read_user branchJanuary 9, 2024 20:10
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.

Reviewers

No reviews

Assignees

@EmyrkEmyrk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Make listing users and groups a privileged endpoint

3 participants

@Emyrk@kylecarbs
[8]ページ先頭
©2009-2025 Movatter.jp