[NEW] Allows admin to list all groups with API #7565
Conversation
|
|
|
It's a excellent great idea and I really need that! Maybe changing the groups.info method also to allow the admin to see the complete infos of the group? |
|
Should we add a new method to list all groups? Like @graywolf336 what do you think? |
|
It would probably be fine to add another method (though this one works if you consider that an admin should have access to all groups). However, if we want to mirror the web UI capability for the admin, he should be able to delete, modify, and get the info of all groups. So in any case, we will need to change the other methods to include an admin check, and bypass the "user is in group" check. (Or write another set of methods, admin only?) |
|
I agree we should improve the methods to allow admins to administrate the rooms via API, just the method to list should have a new one to not change the behavior, methods to get (a single record), change, and delete can be the same. But we need the opinion from @graywolf336 here |
There was a problem hiding this comment.
Thanks for the pull request, however yes I agree with @rodrigok in that it should be split out into it's own call so that it doesn't provide a breaking change in how this endpoint works.
| let rooms = _.pluck(RocketChat.models.Subscriptions.findByTypeAndUserId('p', this.userId).fetch(), '_room'); | ||
| let rooms; | ||
| if (RocketChat.authz.hasPermission(this.userId, 'view-room-administration')) { | ||
| rooms = _.pluck(RocketChat.models.Subscriptions.findByType('p').fetch(), '_room'); |
There was a problem hiding this comment.
This will have duplicate rooms since the subscriptions are for each user and each room the user is part of. Use the Rooms model and find by the private type.
|
Alright, I will revert back and add a .listAll with limited access |
|
Sounds good, thanks 👍 |
| get() { | ||
| const { offset, count } = this.getPaginationItems(); | ||
| const { sort, fields } = this.parseJsonQuery(); | ||
| if (!RocketChat.authz.hasPermission(this.userId, 'view-room-administration')) { |
There was a problem hiding this comment.
Thanks for making the changes, any chance you can move this permission check to be above the other two items?
|
To mirror the web UI functionalities, the admin should be able to use most of the API methods for groups without being in the groups. Should I make a separate pull request for these changes? |
|
Alright, should be done now. |
@RocketChat/core
Closes #7408
This feature allows someone with "view-room-administration" permission to list all groups with the API call /api/v1/groups.list
Similar modifications should be done in the other groups API calls to ensure users with the proper permissions can do the same thing via API than with the web interface (such as delete & modify groups)