Expose all users in the UserResource for public LocalSites.
Review Request #6110 — Created July 16, 2014 and submitted
The addition of public local sites exposed a bunch of assumptions in the user
linking. By default, the user resource within a local site only contains those
users who are actually members of the site. This causes a bunch of bizarre bugs
in rbtools or other consumers of the API, because the links between objects
(such as the review request submitter) could be 404.This change makes it so that if a local site is public, all users on the server
are exposed in the site's user resource.
Verified that links no longer 404 using cURL. I intend to add a unit test for
this when porting to 2.0.x (since the API testing framework there is much
improved over 1.7.x's)
-
This is a pretty major security hole. We shouldn't do this for lists or, for example, someone could get the username and e-mail address of every user on every private team on RBCommons just by getting this resource on a public localsite.
- Commit:
-
d3ac92267f58847f59c9e6f1492719a4c9ae47f4c400bf89ad6c375b0979eea19ea4b8ecd63c1540
- Diff:
-
Revision 2 (+7 -2)
Tool: Pyflakes Processed Files: reviewboard/webapi/resources.py Tool: PEP8 Style Checker Processed Files: reviewboard/webapi/resources.py