From 3714925896ad0415496352b9901ebec199afa0f2 Mon Sep 17 00:00:00 2001
From: Thomas Citharel <tcit@tcit.fr>
Date: Wed, 21 Jun 2023 17:47:10 +0200
Subject: [PATCH] fix(groups): fix unauthenticated access to groups because of
 missing read:group:members permission

The permission in question is now removed

Closes #1311

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
---
 js/src/components/OAuth/scopes.ts      | 7 -------
 lib/graphql/authorization/app_scope.ex | 1 -
 lib/graphql/schema/actors/group.ex     | 2 +-
 lib/graphql/schema/actors/member.ex    | 2 +-
 test/graphql/resolvers/group_test.exs  | 4 ++--
 5 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/js/src/components/OAuth/scopes.ts b/js/src/components/OAuth/scopes.ts
index bcdc4c087..dfd1ccc15 100644
--- a/js/src/components/OAuth/scopes.ts
+++ b/js/src/components/OAuth/scopes.ts
@@ -104,13 +104,6 @@ export const scope: Record<
     ),
     icon: "chat",
   },
-  "read:group:members": {
-    title: t("Access group members"),
-    text: t(
-      "This application will be allowed to list group members in all of the groups you're a member of"
-    ),
-    icon: "account-circle",
-  },
   "read:group:followers": {
     title: t("Access group followers"),
     text: t(
diff --git a/lib/graphql/authorization/app_scope.ex b/lib/graphql/authorization/app_scope.ex
index c162c287b..ebf5c5943 100644
--- a/lib/graphql/authorization/app_scope.ex
+++ b/lib/graphql/authorization/app_scope.ex
@@ -67,7 +67,6 @@ defmodule Mobilizon.GraphQL.Authorization.AppScope do
       :"read:group:events",
       :"read:group:discussions",
       :"read:group:resources",
-      :"read:group:members",
       :"read:group:followers",
       :"read:group:todo_lists",
       :"read:group:activities"
diff --git a/lib/graphql/schema/actors/group.ex b/lib/graphql/schema/actors/group.ex
index 518271121..f485c24dd 100644
--- a/lib/graphql/schema/actors/group.ex
+++ b/lib/graphql/schema/actors/group.ex
@@ -125,7 +125,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.GroupType do
       description: "Whether the group is opened to all or has restricted access"
     )
 
-    field :members, :paginated_member_list, meta: [private: true, rule: :"read:group:members"] do
+    field :members, :paginated_member_list do
       arg(:name, :string, description: "A name to filter members by")
       arg(:page, :integer, default_value: 1, description: "The page in the paginated member list")
       arg(:limit, :integer, default_value: 10, description: "The limit of members per page")
diff --git a/lib/graphql/schema/actors/member.ex b/lib/graphql/schema/actors/member.ex
index a8efe191e..a48190316 100644
--- a/lib/graphql/schema/actors/member.ex
+++ b/lib/graphql/schema/actors/member.ex
@@ -38,7 +38,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.MemberType do
   A paginated list of members
   """
   object :paginated_member_list do
-    meta(:authorize, :user)
+    meta(:authorize, :all)
     field(:elements, list_of(:member), description: "A list of members")
     field(:total, :integer, description: "The total number of elements in the list")
   end
diff --git a/test/graphql/resolvers/group_test.exs b/test/graphql/resolvers/group_test.exs
index 0ff56ced0..ad7417897 100644
--- a/test/graphql/resolvers/group_test.exs
+++ b/test/graphql/resolvers/group_test.exs
@@ -188,7 +188,7 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
         )
 
       assert hd(res["errors"])["message"] ==
-               "Not authorized to access object paginated_member_list"
+               "Not authorized to access object member"
 
       # Login with non-member
       res =
@@ -259,7 +259,7 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
         )
 
       assert hd(res["errors"])["message"] ==
-               "Not authorized to access object paginated_member_list"
+               "Not authorized to access object member"
     end
   end