fix(groups): fix unauthenticated access to groups because of missing read:group:members permission

The permission in question is now removed Closes #1311 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2023-06-21 17:47:10 +02:00 · 2023-06-21 17:47:10 +02:00 · 3714925896
parent 93f175da2c
commit 3714925896
5 changed files with 4 additions and 12 deletions
--- a/js/src/components/OAuth/scopes.ts
+++ b/js/src/components/OAuth/scopes.ts
@ -104,13 +104,6 @@ export const scope: Record<
    ),
    icon: "chat",
  },
-  "read:group:members": {
-    title: t("Access group members"),
-    text: t(
-      "This application will be allowed to list group members in all of the groups you're a member of"
-    ),
-    icon: "account-circle",
-  },
  "read:group:followers": {
    title: t("Access group followers"),
    text: t(
--- a/lib/graphql/authorization/app_scope.ex
+++ b/lib/graphql/authorization/app_scope.ex
@ -67,7 +67,6 @@ defmodule Mobilizon.GraphQL.Authorization.AppScope do
      :"read:group:events",
      :"read:group:discussions",
      :"read:group:resources",
-      :"read:group:members",
      :"read:group:followers",
      :"read:group:todo_lists",
      :"read:group:activities"
--- a/lib/graphql/schema/actors/group.ex
+++ b/lib/graphql/schema/actors/group.ex
@ -125,7 +125,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.GroupType do
      description: "Whether the group is opened to all or has restricted access"
    )

-    field :members, :paginated_member_list, meta: [private: true, rule: :"read:group:members"] do
+    field :members, :paginated_member_list do
      arg(:name, :string, description: "A name to filter members by")
      arg(:page, :integer, default_value: 1, description: "The page in the paginated member list")
      arg(:limit, :integer, default_value: 10, description: "The limit of members per page")
--- a/lib/graphql/schema/actors/member.ex
+++ b/lib/graphql/schema/actors/member.ex
@ -38,7 +38,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.MemberType do
  A paginated list of members
  """
  object :paginated_member_list do
-    meta(:authorize, :user)
+    meta(:authorize, :all)
    field(:elements, list_of(:member), description: "A list of members")
    field(:total, :integer, description: "The total number of elements in the list")
  end
--- a/test/graphql/resolvers/group_test.exs
+++ b/test/graphql/resolvers/group_test.exs
@ -188,7 +188,7 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
        )

      assert hd(res["errors"])["message"] ==
-               "Not authorized to access object paginated_member_list"
+               "Not authorized to access object member"

      # Login with non-member
      res =
@ -259,7 +259,7 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
        )

      assert hd(res["errors"])["message"] ==
-               "Not authorized to access object paginated_member_list"
+               "Not authorized to access object member"
    end
  end