Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect user api and create a filtered user api for relationships. #12374

Closed
1 task
mshima opened this issue Sep 4, 2020 · 12 comments
Closed
1 task

Protect user api and create a filtered user api for relationships. #12374

mshima opened this issue Sep 4, 2020 · 12 comments
Labels
area: enhancement 🔧 area: JHipster Code 💻 $$ bug-bounty $$ https://www.jhipster.tech/bug-bounties/ theme: api theme: security $200 https://www.jhipster.tech/bug-bounties/
Milestone
7.0.0-beta.0

Comments

@mshima
Copy link
Member

mshima commented Sep 4, 2020

Overview of the feature request

I propose to:

  • Move current '/api/users' to '/api/admin/users' and protect it with admin role.
  • Create a compatible '/api/users' with filtered data (id, first and last name).
    And enable by default only if there is some relationship with User.
Motivation for or Use Case

Create a safer default to prevent privacy issues.

Related issues or PR
  • Checking this box is mandatory (this is just to show you read everything)
@pascalgrimaud
Copy link
Member

Big +1

About

Create a compatible '/api/users' with filtered data (id, first and last name).
And enable by default only if there is some relationship with User

do you have an idea how to do this part ?

@pascalgrimaud
Copy link
Member

unless you want to take this ticket @mshima, I'd like to keep this for our JHipster Code in 1 week.
It's not difficult to achieve it.
Are you ok ?

@mshima
Copy link
Member Author

mshima commented Sep 5, 2020

@pascalgrimaud I will not take this ticket.
Most of the job I am doing is related to the workflow.
My own todo is almost finished, then I will create some tickets with cleanup suggestions.
I would suggest to add a bounty to it, but you can keep it to JHipster Code.

@github-actions
Copy link
Contributor

This issue is stale because it has been open 30 days with no activity.
Our core developers tend to be more verbose on denying. If there is no negative comment, possibly this feature will be accepted.
We are accepting PRs 😃.
Comment or this will be closed in 7 days

@pascalgrimaud
Copy link
Member

important to have

@mshima mshima mentioned this issue Oct 16, 2020
Closed
1 task
@mshima mshima mentioned this issue Oct 30, 2020
Merged
5 tasks
@github-actions
Copy link
Contributor

This issue is stale because it has been open 30 days with no activity.
Our core developers tend to be more verbose on denying. If there is no negative comment, possibly this feature will be accepted.
We are accepting PRs 😃.
Comment or this will be closed in 7 days

@pascalgrimaud pascalgrimaud added $$ bug-bounty $$ https://www.jhipster.tech/bug-bounties/ $100 https://www.jhipster.tech/bug-bounties/ and removed area: stale labels Nov 10, 2020
@pascalgrimaud
Copy link
Member

adding a bounty, if it can motivated someone

gzsombor added a commit to gzsombor/generator-jhipster that referenced this issue Nov 16, 2020
@gzsombor
Fixes jhipster#12374: backend changes - Use UserDTO for user manageme…
4253ba0 
…nt and PublicUserDTO for public consumptions
gzsombor added a commit to gzsombor/generator-jhipster that referenced this issue Nov 16, 2020
@gzsombor
Fixes jhipster#12374: backend changes - Use UserDTO for user manageme…
0e51e4b 
…nt and PublicUserDTO for public consumptions
gzsombor added a commit to gzsombor/generator-jhipster that referenced this issue Nov 16, 2020
@gzsombor
Fixes jhipster#12374: backend changes - Use UserDTO for user manageme…
705885f 
…nt and PublicUserDTO for public consumptions
gzsombor added a commit to gzsombor/generator-jhipster that referenced this issue Nov 20, 2020
@gzsombor
Fixes jhipster#12374: backend changes - Use UserDTO for user manageme…
d16f429 
…nt and PublicUserDTO for public consumptions
gzsombor added a commit to gzsombor/generator-jhipster that referenced this issue Nov 21, 2020
@gzsombor
Fixes jhipster#12374: backend changes - Use UserDTO for user manageme…
85656a8 
…nt and PublicUserDTO for public consumptions
@mshima mshima mentioned this issue Nov 25, 2020
Closed
1 task
@github-actions
Copy link
Contributor

This issue is stale because it has been open 30 days with no activity.
Our core developers tend to be more verbose on denying. If there is no negative comment, possibly this feature will be accepted.
We are accepting PRs 😃.
Comment or this will be closed in 7 days

@pascalgrimaud
Copy link
Member

PR in progress: #13048

pascalgrimaud added a commit that referenced this issue Dec 18, 2020
@pascalgrimaud
Merge pull request #13048 from gzsombor/protect-users
0be6e0f 
Fixes #12374: Protect user api
@pascalgrimaud pascalgrimaud added $200 https://www.jhipster.tech/bug-bounties/ and removed $100 https://www.jhipster.tech/bug-bounties/ labels Dec 18, 2020
@pascalgrimaud
Copy link
Member

I'm increasing the bounty as it was much work than expected
Don't forget it @gzsombor

@pascalgrimaud pascalgrimaud added this to the 7.0.0-beta.0 milestone Dec 18, 2020
gzsombor added a commit to gzsombor/generator-jhipster-micronaut that referenced this issue Dec 22, 2020
@gzsombor
Add AdminUserDTO and the PublicUserResource - to separate the publicl…
adedc1b 
…y accessible user information

from the private one.
 Porting jhipster/generator-jhipster#12374
@gzsombor gzsombor mentioned this issue Dec 22, 2020
Merged
@gzsombor
Copy link
Member

Thanks @pascalgrimaud ! I claimed the bug bounty here: https://opencollective.com/generator-jhipster/expenses/30439

@pascalgrimaud
Copy link
Member

@gzsombor : approved

coderguy-tech pushed a commit to coderguy-tech/generator-jhipster that referenced this issue Jun 1, 2021
@gzsombor @gkysaad
Fixes jhipster#12374: backend changes - Use UserDTO for user manageme…
d9bf46a 
…nt and PublicUserDTO for public consumptions
gzsombor added a commit to gzsombor/generator-jhipster-micronaut that referenced this issue Aug 9, 2022
@gzsombor
Add AdminUserDTO and the PublicUserResource - to separate the publicl…
2dd5f36 
…y accessible user information

from the private one.
 Porting jhipster/generator-jhipster#12374
gzsombor added a commit to gzsombor/generator-jhipster-micronaut that referenced this issue Aug 10, 2022
@gzsombor
Add AdminUserDTO and the PublicUserResource - to separate the publicl…
1ad370f 
…y accessible user information

from the private one.
 Porting jhipster/generator-jhipster#12374
gzsombor added a commit to gzsombor/generator-jhipster-micronaut that referenced this issue Aug 16, 2023
@gzsombor
Add AdminUserDTO and the PublicUserResource - to separate the publicl…
ad7a691 
…y accessible user information

from the private one.
 Porting jhipster/generator-jhipster#12374
gzsombor added a commit to gzsombor/generator-jhipster-micronaut that referenced this issue Aug 16, 2023
@gzsombor
Add AdminUserDTO and the PublicUserResource - to separate the publicl…
40c3e8f 
…y accessible user information

from the private one.
 Porting jhipster/generator-jhipster#12374
gzsombor added a commit to gzsombor/generator-jhipster-micronaut that referenced this issue Aug 17, 2023
@gzsombor
Add AdminUserDTO and the PublicUserResource - to separate the publicl…
1781b12 
…y accessible user information

from the private one.
 Porting jhipster/generator-jhipster#12374
gzsombor added a commit to gzsombor/generator-jhipster-micronaut that referenced this issue Aug 17, 2023
@gzsombor
Add AdminUserDTO and the PublicUserResource - to separate the publicl…
e66c66b 
…y accessible user information

from the private one.
 Porting jhipster/generator-jhipster#12374
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: enhancement 🔧 area: JHipster Code 💻 $$ bug-bounty $$ https://www.jhipster.tech/bug-bounties/ theme: api theme: security $200 https://www.jhipster.tech/bug-bounties/
Projects
None yet
Milestone
7.0.0-beta.0
Development

No branches or pull requests
3 participants
@gzsombor @mshima @pascalgrimaud