Expose all users in the UserResource for public LocalSites.

Review Request #6110 — Created July 16, 2014 and submitted

Information

Review Board
release-1.7.x
c400bf8...

Reviewers

The addition of public local sites exposed a bunch of assumptions in the user
linking. By default, the user resource within a local site only contains those
users who are actually members of the site. This causes a bunch of bizarre bugs
in rbtools or other consumers of the API, because the links between objects
(such as the review request submitter) could be 404.

This change makes it so that if a local site is public, all users on the server
are exposed in the site's user resource.

Verified that links no longer 404 using cURL. I intend to add a unit test for
this when porting to 2.0.x (since the API testing framework there is much
improved over 1.7.x's)

reviewbot
  1. Tool: Pyflakes
    Processed Files:
        reviewboard/webapi/resources.py
    
    
    
    Tool: PEP8 Style Checker
    Processed Files:
        reviewboard/webapi/resources.py
    
    
  2. 
      
chipx86
  1. This is a pretty major security hole. We shouldn't do this for lists or, for example, someone could get the username and e-mail address of every user on every private team on RBCommons just by getting this resource on a public localsite.

    1. Any ideas on solving this, then?

    2. I think we can just check the is_list argument in the kwargs, and do the more permissive query if that's False.

  2. 
      
david
reviewbot
  1. Tool: Pyflakes
    Processed Files:
        reviewboard/webapi/resources.py
    
    
    
    Tool: PEP8 Style Checker
    Processed Files:
        reviewboard/webapi/resources.py
    
    
  2. 
      
chipx86
  1. Ship It!

  2. 
      
david
Review request changed
Status:
Completed
Change Summary:
Pushed to release-1.7.x (2753b4b)