fix(groups): fix unauthenticated access to groups because of missing read:group:members permission
The permission in question is now removed Closes #1311 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
parent
93f175da2c
commit
3714925896
|
@ -104,13 +104,6 @@ export const scope: Record<
|
||||||
),
|
),
|
||||||
icon: "chat",
|
icon: "chat",
|
||||||
},
|
},
|
||||||
"read:group:members": {
|
|
||||||
title: t("Access group members"),
|
|
||||||
text: t(
|
|
||||||
"This application will be allowed to list group members in all of the groups you're a member of"
|
|
||||||
),
|
|
||||||
icon: "account-circle",
|
|
||||||
},
|
|
||||||
"read:group:followers": {
|
"read:group:followers": {
|
||||||
title: t("Access group followers"),
|
title: t("Access group followers"),
|
||||||
text: t(
|
text: t(
|
||||||
|
|
|
@ -67,7 +67,6 @@ defmodule Mobilizon.GraphQL.Authorization.AppScope do
|
||||||
:"read:group:events",
|
:"read:group:events",
|
||||||
:"read:group:discussions",
|
:"read:group:discussions",
|
||||||
:"read:group:resources",
|
:"read:group:resources",
|
||||||
:"read:group:members",
|
|
||||||
:"read:group:followers",
|
:"read:group:followers",
|
||||||
:"read:group:todo_lists",
|
:"read:group:todo_lists",
|
||||||
:"read:group:activities"
|
:"read:group:activities"
|
||||||
|
|
|
@ -125,7 +125,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.GroupType do
|
||||||
description: "Whether the group is opened to all or has restricted access"
|
description: "Whether the group is opened to all or has restricted access"
|
||||||
)
|
)
|
||||||
|
|
||||||
field :members, :paginated_member_list, meta: [private: true, rule: :"read:group:members"] do
|
field :members, :paginated_member_list do
|
||||||
arg(:name, :string, description: "A name to filter members by")
|
arg(:name, :string, description: "A name to filter members by")
|
||||||
arg(:page, :integer, default_value: 1, description: "The page in the paginated member list")
|
arg(:page, :integer, default_value: 1, description: "The page in the paginated member list")
|
||||||
arg(:limit, :integer, default_value: 10, description: "The limit of members per page")
|
arg(:limit, :integer, default_value: 10, description: "The limit of members per page")
|
||||||
|
|
|
@ -38,7 +38,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.MemberType do
|
||||||
A paginated list of members
|
A paginated list of members
|
||||||
"""
|
"""
|
||||||
object :paginated_member_list do
|
object :paginated_member_list do
|
||||||
meta(:authorize, :user)
|
meta(:authorize, :all)
|
||||||
field(:elements, list_of(:member), description: "A list of members")
|
field(:elements, list_of(:member), description: "A list of members")
|
||||||
field(:total, :integer, description: "The total number of elements in the list")
|
field(:total, :integer, description: "The total number of elements in the list")
|
||||||
end
|
end
|
||||||
|
|
|
@ -188,7 +188,7 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
|
||||||
)
|
)
|
||||||
|
|
||||||
assert hd(res["errors"])["message"] ==
|
assert hd(res["errors"])["message"] ==
|
||||||
"Not authorized to access object paginated_member_list"
|
"Not authorized to access object member"
|
||||||
|
|
||||||
# Login with non-member
|
# Login with non-member
|
||||||
res =
|
res =
|
||||||
|
@ -259,7 +259,7 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
|
||||||
)
|
)
|
||||||
|
|
||||||
assert hd(res["errors"])["message"] ==
|
assert hd(res["errors"])["message"] ==
|
||||||
"Not authorized to access object paginated_member_list"
|
"Not authorized to access object member"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue