Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FIX] "*.members" rest api being useless and only returning usernames #8147

Merged
merged 2 commits into from
Sep 18, 2017

Conversation

graywolf336
Copy link
Contributor

@RocketChat/core

Closes #8116

@engelgabriel engelgabriel temporarily deployed to rocket-chat-pr-8147 September 14, 2017 17:24 Inactive
@sampaiodiego
Copy link
Member

sampaiodiego commented Sep 14, 2017

am I wrong or I could exploit this to get any user's field? (waiting heroku deployment to test it)

@graywolf336
Copy link
Contributor Author

You're not wrong 👎

We almost need a list of fields in the system which a normal user can access and which ones an admin can access. I can change things so that only the _id, username, status are accessible via this...

@sampaiodiego
Copy link
Member

I would say to change it so only _id, username, name, status, utcOffset are returned to regular users..

admins could request any additional field.

@philipbrito
Copy link
Contributor

Any chance to return the user avatar on this rest api call? Because we always show the avatar when we need to see the member list of a room.

@graywolf336
Copy link
Contributor Author

@filipedelimabrito the avatar property on the messages isn't always promised to be there as that's a special customization property, so no that won't be returned unless the message is special and has it.

@philipbrito
Copy link
Contributor

philipbrito commented Sep 14, 2017

Thanks, but how can I get the user avatar if the customization allow me it? Anyway, this is a call that requires authentication, so only a registered user can see (in the case if the customization allows it) the member list of a room.

@graywolf336
Copy link
Contributor Author

@filipedelimabrito $ROOTURL/avatar/$USERNAME

For example: https://demo.rocket.chat/avatar/bradley.hilton


const members = RocketChat.models.Rooms.processQueryOptionsOnResult(Array.from(findResult.usernames), {
sort: sort ? sort : -1,
skip: offset,
limit: count
});

const ourFields = Object.assign({ _id: 1, username: 1, status: 1 }, fields, RocketChat.API.v1.defaultFieldsToExclude);
const users = RocketChat.models.Users.find({ username: { $in: members } }, { fields: ourFields }).fetch();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How heavy is this find on large rooms?
What about use cache for that?

RocketChat.models.Subscriptions.find({rid: 'GENERAL'}).forEach(item => console.log(item._user))

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's limited to 50 by default but users can request more and if they request a ton, then that load is on them.

@engelgabriel engelgabriel temporarily deployed to rocket-chat-pr-8147 September 14, 2017 19:40 Inactive
@rodrigok rodrigok added this to the 0.59.0-rc.6 milestone Sep 18, 2017
@rodrigok rodrigok merged commit 25cce2d into develop Sep 18, 2017
@rodrigok rodrigok deleted the fix-the-members-list-rest-api branch September 18, 2017 23:00
rodrigok added a commit that referenced this pull request Sep 18, 2017
[FIX] "*.members" rest api being useless and only returning usernames
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[API] Improve members list API, adding name, status and userId to the list
5 participants