Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

api.main: perform authorization for GET '/users' #430

Merged
merged 1 commit into from
Dec 8, 2023
Merged

api.main: perform authorization for GET '/users' #430

merged 1 commit into from
Dec 8, 2023

Conversation

JenySadadia
Copy link
Collaborator

Only allow authorized users to get existing users' details to protect user's personal information.

api.main: perform authorization for GET '/users'
849f178 
Only allow authorized users to get existing
users' details to protect user's personal
information.

Signed-off-by: Jeny Sadadia <[email protected]>
@JenySadadia JenySadadia force-pushed the authenticate-find-users branch from 96d79cb to 849f178 Compare December 8, 2023 11:31
@JenySadadia JenySadadia mentioned this pull request Dec 8, 2023
Merged
@nuclearcat
Copy link
Member

Verified manually using curl:

curl -X GET "$URI/latest/users"     -H 'accept: application/json'     -H "Authorization: Bearer $TOKEN"     -H 'Content-Type: application/json'
{"items":[{"id":"64705c1ae76325f50371875e","emai....
and
curl -X GET "$URI/latest/users"     -H 'accept: application/json' -H 'Content-Type: application/json'
{"detail":"Unauthorized"}

nuclearcat
nuclearcat approved these changes Dec 8, 2023
View reviewed changes
Copy link
Member

@nuclearcat nuclearcat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It works! :)

@nuclearcat nuclearcat added this pull request to the merge queue Dec 8, 2023
Merged via the queue into kernelci:main with commit d9c2621 Dec 8, 2023
4 checks passed
@JenySadadia JenySadadia deleted the authenticate-find-users branch December 8, 2023 15:52
@gctucker
Copy link
Contributor

But, this should only be returning public information. I think it's a step backwards, being able to find user information publicly makes sense and all public web services do this. Also, if all it takes is a user account then I would argue it's a false sense of security as it's not preventing any personal user data from being shared with other individuals.

@nuclearcat
Copy link
Member

Email is not public information, at least. I think it is better to move this discussion to Slack.

@gctucker
Copy link
Contributor

I can see your email address on your public profile here ;) https://github.com/nuclearcat

@nuclearcat
Copy link
Member

Yes, that intentional and github explicitly shows it will be published on github profile page.
But even this one good as example, it is my personal address for low priority stuff, but not the one i use for github authentication, notifications and important business emails.

@gctucker
Copy link
Contributor

Yes, I know :) As discussed on Slack now. Maybe a GitHub issue or discussion about how to manage users in general would be good actually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nuclearcat nuclearcat nuclearcat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JenySadadia @nuclearcat @gctucker