Merge branch 'fix' into 'main'

fix(groups): fix unauthenticated access to groups because of missing read:group:members permission

Closes #1311

See merge request framasoft/mobilizon!1415
This commit is contained in:
Thomas Citharel 2023-06-21 16:31:18 +00:00
commit 4b8f54a31b
5 changed files with 4 additions and 12 deletions

View file

@ -104,13 +104,6 @@ export const scope: Record<
),
icon: "chat",
},
"read:group:members": {
title: t("Access group members"),
text: t(
"This application will be allowed to list group members in all of the groups you're a member of"
),
icon: "account-circle",
},
"read:group:followers": {
title: t("Access group followers"),
text: t(

View file

@ -67,7 +67,6 @@ defmodule Mobilizon.GraphQL.Authorization.AppScope do
:"read:group:events",
:"read:group:discussions",
:"read:group:resources",
:"read:group:members",
:"read:group:followers",
:"read:group:todo_lists",
:"read:group:activities"

View file

@ -125,7 +125,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.GroupType do
description: "Whether the group is opened to all or has restricted access"
)
field :members, :paginated_member_list, meta: [private: true, rule: :"read:group:members"] do
field :members, :paginated_member_list do
arg(:name, :string, description: "A name to filter members by")
arg(:page, :integer, default_value: 1, description: "The page in the paginated member list")
arg(:limit, :integer, default_value: 10, description: "The limit of members per page")

View file

@ -38,7 +38,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.MemberType do
A paginated list of members
"""
object :paginated_member_list do
meta(:authorize, :user)
meta(:authorize, :all)
field(:elements, list_of(:member), description: "A list of members")
field(:total, :integer, description: "The total number of elements in the list")
end

View file

@ -188,7 +188,7 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
)
assert hd(res["errors"])["message"] ==
"Not authorized to access object paginated_member_list"
"Not authorized to access object member"
# Login with non-member
res =
@ -259,7 +259,7 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
)
assert hd(res["errors"])["message"] ==
"Not authorized to access object paginated_member_list"
"Not authorized to access object member"
end
end