-
Notifications
You must be signed in to change notification settings - Fork 10.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FIX] "*.members" rest api being useless and only returning usernames #8147
Conversation
am I wrong or I could exploit this to get any user's field? (waiting heroku deployment to test it) |
You're not wrong 👎 We almost need a list of fields in the system which a normal user can access and which ones an admin can access. I can change things so that only the |
I would say to change it so only admins could request any additional field. |
Any chance to return the user avatar on this rest api call? Because we always show the avatar when we need to see the member list of a room. |
@filipedelimabrito the |
Thanks, but how can I get the user avatar if the customization allow me it? Anyway, this is a call that requires authentication, so only a registered user can see (in the case if the customization allows it) the member list of a room. |
@filipedelimabrito For example: https://demo.rocket.chat/avatar/bradley.hilton |
|
||
const members = RocketChat.models.Rooms.processQueryOptionsOnResult(Array.from(findResult.usernames), { | ||
sort: sort ? sort : -1, | ||
skip: offset, | ||
limit: count | ||
}); | ||
|
||
const ourFields = Object.assign({ _id: 1, username: 1, status: 1 }, fields, RocketChat.API.v1.defaultFieldsToExclude); | ||
const users = RocketChat.models.Users.find({ username: { $in: members } }, { fields: ourFields }).fetch(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How heavy is this find on large rooms?
What about use cache for that?
RocketChat.models.Subscriptions.find({rid: 'GENERAL'}).forEach(item => console.log(item._user))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's limited to 50 by default but users can request more and if they request a ton, then that load is on them.
…list api for that
[FIX] "*.members" rest api being useless and only returning usernames
@RocketChat/core
Closes #8116