[IMPROVE] Authorize search of custom fields on `users.list` (#27423)

Co-authored-by: Matheus Barbosa Silva <36537004+matheusbsilva137@users.noreply.github.com>
4 years ago · a6939814b8
parent 17db2463f8
commit a6939814b8
2 changed files with 71 additions and 0 deletions
--- a/apps/meteor/app/api/server/v1/users.ts
+++ b/apps/meteor/app/api/server/v1/users.ts
@ -432,6 +432,7 @@ API.v1.addRoute(
 						inclusiveFieldsKeys.includes('username') && 'username.*',
 						inclusiveFieldsKeys.includes('name') && 'name.*',
 						inclusiveFieldsKeys.includes('type') && 'type.*',
+						inclusiveFieldsKeys.includes('customFields') && 'customFields.*',
 					].filter(Boolean) as string[],
 					this.queryOperations,
 				)
--- a/apps/meteor/tests/end-to-end/api/01-users.js
+++ b/apps/meteor/tests/end-to-end/api/01-users.js
@ -634,6 +634,8 @@ describe('[Users]', function () {
 	});

 	describe('[/users.list]', () => {
+		let user;
+
 		it('should query all users in the system', (done) => {
 			request
 				.get(api('users.list'))
@ -650,6 +652,74 @@ describe('[Users]', function () {
 				.end(done);
 		});

+		before((done) =>
+			setCustomFields({ customFieldText }, async (error) => {
+				if (error) {
+					return done(error);
+				}
+
+				const username = `customField_${Date.now()}${apiUsername}`;
+				const email = `customField_+${Date.now()}${apiEmail}`;
+				const customFields = { customFieldText: 'success' };
+
+				const userData = {
+					email,
+					name: username,
+					username,
+					password,
+					active: true,
+					roles: ['user'],
+					joinDefaultChannels: true,
+					verified: true,
+					customFields,
+				};
+
+				user = await createUser(userData);
+
+				expect(user).to.not.be.null;
+				expect(user).to.have.nested.property('username', username);
+				expect(user).to.have.nested.property('emails[0].address', email);
+				expect(user).to.have.nested.property('active', true);
+				expect(user).to.have.nested.property('name', username);
+				expect(user).to.have.nested.property('customFields.customFieldText', 'success');
+				expect(user).to.not.have.nested.property('e2e');
+
+				return done();
+			}),
+		);
+
+		after((done) => clearCustomFields(done));
+
+		it('should query all users in the system by custom fields', (done) => {
+			const query = {
+				fields: JSON.stringify({
+					username: 1,
+					_id: 1,
+					customFields: 1,
+				}),
+				query: JSON.stringify({
+					'customFields.customFieldText': 'success',
+				}),
+			};
+
+			request
+				.get(api('users.list'))
+				.query(query)
+				.set(credentials)
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('count');
+					expect(res.body).to.have.property('total');
+					expect(res.body).to.have.property('users');
+					const queriedUser = res.body.users.find((u) => u._id === user._id);
+					expect(queriedUser).to.have.property('customFields');
+					expect(queriedUser.customFields).to.have.property('customFieldText', 'success');
+				})
+				.end(done);
+		});
+
 		it.skip('should query all users in the system by name', (done) => {
 			// filtering user list
 			request