From a6939814b84ecd7c1d82e7f65bc8a9eb224f238e Mon Sep 17 00:00:00 2001
From: Luciano Marcos Pierdona Junior
 <64279791+LucianoPierdona@users.noreply.github.com>
Date: Tue, 20 Dec 2022 16:18:40 -0300
Subject: [PATCH] [IMPROVE] Authorize search of custom fields on `users.list`
 (#27423)

Co-authored-by: Matheus Barbosa Silva <36537004+matheusbsilva137@users.noreply.github.com>
---
 apps/meteor/app/api/server/v1/users.ts       |  1 +
 apps/meteor/tests/end-to-end/api/01-users.js | 70 ++++++++++++++++++++
 2 files changed, 71 insertions(+)

diff --git a/apps/meteor/app/api/server/v1/users.ts b/apps/meteor/app/api/server/v1/users.ts
index e43cadac6ac..af74049434f 100644
--- a/apps/meteor/app/api/server/v1/users.ts
+++ b/apps/meteor/app/api/server/v1/users.ts
@@ -432,6 +432,7 @@ API.v1.addRoute(
 						inclusiveFieldsKeys.includes('username') && 'username.*',
 						inclusiveFieldsKeys.includes('name') && 'name.*',
 						inclusiveFieldsKeys.includes('type') && 'type.*',
+						inclusiveFieldsKeys.includes('customFields') && 'customFields.*',
 					].filter(Boolean) as string[],
 					this.queryOperations,
 				)
diff --git a/apps/meteor/tests/end-to-end/api/01-users.js b/apps/meteor/tests/end-to-end/api/01-users.js
index d9409f4f22b..03051b8fdb3 100644
--- a/apps/meteor/tests/end-to-end/api/01-users.js
+++ b/apps/meteor/tests/end-to-end/api/01-users.js
@@ -634,6 +634,8 @@ describe('[Users]', function () {
 	});
 
 	describe('[/users.list]', () => {
+		let user;
+
 		it('should query all users in the system', (done) => {
 			request
 				.get(api('users.list'))
@@ -650,6 +652,74 @@ describe('[Users]', function () {
 				.end(done);
 		});
 
+		before((done) =>
+			setCustomFields({ customFieldText }, async (error) => {
+				if (error) {
+					return done(error);
+				}
+
+				const username = `customField_${Date.now()}${apiUsername}`;
+				const email = `customField_+${Date.now()}${apiEmail}`;
+				const customFields = { customFieldText: 'success' };
+
+				const userData = {
+					email,
+					name: username,
+					username,
+					password,
+					active: true,
+					roles: ['user'],
+					joinDefaultChannels: true,
+					verified: true,
+					customFields,
+				};
+
+				user = await createUser(userData);
+
+				expect(user).to.not.be.null;
+				expect(user).to.have.nested.property('username', username);
+				expect(user).to.have.nested.property('emails[0].address', email);
+				expect(user).to.have.nested.property('active', true);
+				expect(user).to.have.nested.property('name', username);
+				expect(user).to.have.nested.property('customFields.customFieldText', 'success');
+				expect(user).to.not.have.nested.property('e2e');
+
+				return done();
+			}),
+		);
+
+		after((done) => clearCustomFields(done));
+
+		it('should query all users in the system by custom fields', (done) => {
+			const query = {
+				fields: JSON.stringify({
+					username: 1,
+					_id: 1,
+					customFields: 1,
+				}),
+				query: JSON.stringify({
+					'customFields.customFieldText': 'success',
+				}),
+			};
+
+			request
+				.get(api('users.list'))
+				.query(query)
+				.set(credentials)
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('count');
+					expect(res.body).to.have.property('total');
+					expect(res.body).to.have.property('users');
+					const queriedUser = res.body.users.find((u) => u._id === user._id);
+					expect(queriedUser).to.have.property('customFields');
+					expect(queriedUser.customFields).to.have.property('customFieldText', 'success');
+				})
+				.end(done);
+		});
+
 		it.skip('should query all users in the system by name', (done) => {
 			// filtering user list
 			request