Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: @querystring shouldn't list userids #1824

Open
wants to merge 11 commits into
base: main
Choose a base branch
from

Conversation

askadityapandey
Copy link

@askadityapandey askadityapandey commented Oct 10, 2024

This Pull Request fixes #1777 , lemme know if I need to make changes!


📚 Documentation preview 📚: https://plonerestapi--1824.org.readthedocs.build/

@mister-roboto
Copy link

@askadityapandey thanks for creating this Pull Request and helping to improve Plone!

TL;DR: Finish pushing changes, pass all other checks, then paste a comment:

@jenkins-plone-org please run jobs

To ensure that these changes do not break other parts of Plone, the Plone test suite matrix needs to pass, but it takes 30-60 min. Other CI checks are usually much faster and the Plone Jenkins resources are limited, so when done pushing changes and all other checks pass either start all Jenkins PR jobs yourself, or simply add the comment above in this PR to start all the jobs automatically.

Happy hacking!

Copy link
Member

@davisagli davisagli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this. I'd like a few things to be different in the implementation:

  1. We should not have 2 different endpoints. We should still have one endpoint, @querystring, but it should fiilter its output based on the current user's permissions.
  2. Instead of a hardcoded list of sensitive vocabs, we should check for the user's permission to use the vocab in the same way that the @vocabularies endpoint already does:
    def _has_permission_to_access_vocabulary(self, vocabulary_name):
  3. There should be at least one test for this filtering, and the existing tests need to pass (or be updated to match a change in behavior, if necessary).
  4. There should be a note about the permission-based filtering in the docs for this endpoint.

docs/source/endpoints/querystring.md Outdated Show resolved Hide resolved
src/plone/restapi/services/querystring/configure.zcml Outdated Show resolved Hide resolved
askadityapandey and others added 2 commits October 17, 2024 12:31
Co-authored-by: David Glick <david@glicksoftware.com>
@davisagli
Copy link
Member

@askadityapandey I would like to merge this, but I am waiting for you to remove the changes in configure.zcml. They are wrong and are the reason the tests are not passing.

@davisagli
Copy link
Member

@askadityapandey Please look at the automated checks that failed:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

@querystring shouldn't list userids
3 participants