Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IBX-9002: Added endpoint for list users with permission info #1372

Open
wants to merge 26 commits into
base: 4.6
Choose a base branch
from

Conversation

ciastektk
Copy link
Contributor

@ciastektk ciastektk commented Oct 17, 2024

🎫 Issue IBX-9002

Description:

This PR adds internal endpoint to load list of users with their permissions to by resolved context. This is required by share dialog feature to search for users by given phrase e.g.: name, surname or email. Full list of results should be displayed, grouped by users with and without permissions.

A new endpoint is not exposed in REST API to avoid public access to list of users with permissions for not logged users. To make this feature useful we cannot filter search results by permissions. Otherwise we would have to change permission settings for users to allow read User content.

Example query params:

  • contentId={contentId} - (int) Content item for permission check
  • locationId={locationId} - (int) target Location for permission check
  • limit={limit} - (int) number of results
  • offset={offset} - (int) results offset
  • phrase={phrase} - (string) phrase using for search user by first name, last name or email.
###  GET /permission/users-with-permission-info/{module}/{function}

GET http://localhost/admin/permission/users-with-permission-info/content/read?contentId=43&locationId=51
Accept: application/json
X-Siteaccess: admin


GET http://localhost/admin/permission/users-with-permission-info/content/edit?contentId=43&locationId=51&phrase=user&limit=5
Accept: application/json
X-Siteaccess: admin

For QA:

Documentation:

@ciastektk ciastektk changed the title Ibx 9002 endpoint for list users with permission info IBX-9002: Added endpoint for list users with permission info Oct 17, 2024
@ciastektk ciastektk marked this pull request as ready for review October 17, 2024 10:36
@ciastektk ciastektk requested a review from a team October 17, 2024 10:37
@ciastektk ciastektk added Feature New feature request Ready for review labels Oct 17, 2024
Copy link
Contributor

@Steveb-p Steveb-p left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current implementation seems to - correct me if I'm wrong - not distinguish between Admin UI users and "frontend" users.

I.e. you will get results with store front customer accounts, if they are created. They will also heavily pollute this list, probably making it hardly usable (if what I'm saying is true).

On a separate note: this makes any user that is able to log into the admin to discover all usernames and emails (as this is what your endpoint basically does). Given this is public and deals with sensitive information, I don't think this can be exposed like that.

Additionally, it should be enabled only if there are features that rely on it IMO. And I would even go as far as ask developer/admin to toggle availability of this endpoint on explicitly, maybe through bundle configuration.

To sum up, it's too exposed and sensitive to be enabled by default.

@ciastektk ciastektk force-pushed the ibx-9002-endpoint-for-list-users-with-permission-info branch 2 times, most recently from 47b4139 to 3abf68b Compare October 18, 2024 07:37
@ciastektk
Copy link
Contributor Author

Current implementation seems to - correct me if I'm wrong - not distinguish between Admin UI users and "frontend" users.

I.e. you will get results with store front customer accounts, if they are created. They will also heavily pollute this list, probably making it hardly usable (if what I'm saying is true).

On a separate note: this makes any user that is able to log into the admin to discover all usernames and emails (as this is what your endpoint basically does). Given this is public and deals with sensitive information, I don't think this can be exposed like that.

Additionally, it should be enabled only if there are features that rely on it IMO. And I would even go as far as ask developer/admin to toggle availability of this endpoint on explicitly, maybe through bundle configuration.

To sum up, it's too exposed and sensitive to be enabled by default.

Sorry, previous version was sent for review too early. I pushed new version including new Query based on new Criteria (the previous ones did not work for elasticsearch and solr) and now guest and corporate users are skipped.

About availability of this endpoint. I have same feelings like you, and access for sensitive informations worries me. I'd to discuss this internally.

@ciastektk ciastektk force-pushed the ibx-9002-endpoint-for-list-users-with-permission-info branch 2 times, most recently from b2dc741 to f936d48 Compare October 31, 2024 09:19
Copy link

sonarcloud bot commented Oct 31, 2024

@ciastektk ciastektk requested review from a team, Steveb-p and adamwojs November 6, 2024 07:30
@ciastektk ciastektk requested a review from a team November 27, 2024 07:46
@ciastektk ciastektk force-pushed the ibx-9002-endpoint-for-list-users-with-permission-info branch from 0ea68b4 to bba7ec8 Compare November 27, 2024 08:09
@ciastektk ciastektk requested a review from a team November 29, 2024 08:52

$results = $this->groupByPermissions($searchResult, $permissionContext, $module, $function);

$this->permissionResolver->setCurrentUserReference($currentUserReference);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This instruction should be in catch { ... } finally { ... } block

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

foreach ($searchResult as $result) {
/** @var \Ibexa\Contracts\Core\Repository\Values\Content\ContentInfo $userContentInfo */
$userContentInfo = $result->valueObject;
$user = $this->userService->loadUser($userContentInfo->getId());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are loading here user with permission previous user result. This is a bug.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


private function cleanSearchPhrase(string $phrase): string
{
$sanitizedPhrase = preg_replace('/[^a-zA-Z0-9@._-]/', '', $phrase);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move regex to const ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ciastektk ciastektk force-pushed the ibx-9002-endpoint-for-list-users-with-permission-info branch from 57c7735 to fc53371 Compare December 9, 2024 09:14
@ciastektk ciastektk requested review from adamwojs and a team December 9, 2024 09:15
Copy link

sonarcloud bot commented Dec 9, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature New feature request Ready for QA
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants