fix(groups): fix unauthenticated access to groups because of missing read:group:members permission

The permission in question is now removed

Closes #1311

Signed-off-by: Thomas Citharel <tcit@tcit.fr>

js/src/components/OAuth/scopes.ts

@@ -104,13 +104,6 @@ export const scope: Record<
     ),
     icon: "chat",
   },
-  "read:group:members": {
-    title: t("Access group members"),
-    text: t(
-      "This application will be allowed to list group members in all of the groups you're a member of"
-    ),
-    icon: "account-circle",
-  },
   "read:group:followers": {
     title: t("Access group followers"),
     text: t(

lib/graphql/authorization/app_scope.ex

@@ -67,7 +67,6 @@ defmodule Mobilizon.GraphQL.Authorization.AppScope do
       :"read:group:events",
       :"read:group:discussions",
       :"read:group:resources",
-      :"read:group:members",
       :"read:group:followers",
       :"read:group:todo_lists",
       :"read:group:activities"

lib/graphql/schema/actors/group.ex

@@ -125,7 +125,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.GroupType do
       description: "Whether the group is opened to all or has restricted access"
     )
 
-    field :members, :paginated_member_list, meta: [private: true, rule: :"read:group:members"] do
+    field :members, :paginated_member_list do
       arg(:name, :string, description: "A name to filter members by")
       arg(:page, :integer, default_value: 1, description: "The page in the paginated member list")
       arg(:limit, :integer, default_value: 10, description: "The limit of members per page")

lib/graphql/schema/actors/member.ex

@@ -38,7 +38,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.MemberType do
   A paginated list of members
   """
   object :paginated_member_list do
-    meta(:authorize, :user)
+    meta(:authorize, :all)
     field(:elements, list_of(:member), description: "A list of members")
     field(:total, :integer, description: "The total number of elements in the list")
   end

test/graphql/resolvers/group_test.exs

@@ -188,7 +188,7 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
         )
 
       assert hd(res["errors"])["message"] ==
-               "Not authorized to access object paginated_member_list"
+               "Not authorized to access object member"
 
       # Login with non-member
       res =
@@ -259,7 +259,7 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
         )
 
       assert hd(res["errors"])["message"] ==
-               "Not authorized to access object paginated_member_list"
+               "Not authorized to access object member"
     end
   end