taiga-back icon indicating copy to clipboard operation
taiga-back copied to clipboard

Published 20 hours ago verified publisher icon taigaio

api list users as superuser

Open manfrede opened this issue 5 years ago • 1 comments

Hi,

sorry in advance if i missed anything, i'm not used to creating issues. Also i'm not sure if this is a bug or a feature, but i tend more to the first. This is happening on our own instance on 4.0.3.

Since there is (as of now) no official LDAP support and the plugin is outdated (also i couldnt get it to work) we decided to just merge the users via rest services.

We created a job that retrieves all the users from taiga and our own user database, merges them and decides which users to create, deactivate etc. in taiga.

At first i just programmed after the Taiga Rest API for users (https://taigaio.github.io/taiga-doc/dist/api.html#users-list) which states that a get on /users returns a list of user object detail. In reality it is more likely a list of user contact detail since some fields like the email (which is very important for the process) are missing.

The requesting user definitely was a superuser so i looked into users\api.py:

def get_serializer_class(self):
    if self.action in ["partial_update", "update", "retrieve", "by_username"]:
        user = self.object
        if self.request.user == user or self.request.user.is_superuser:
            return self.admin_serializer_class

    return self.serializer_class

It seems that superuser is only considered for a few methods. So the documentation for the Rest API is incorrect or outdated in that matter.

I could have worked around this issue by querying every single user since retrieve does get all fields, but i changed it on our instance to the following:

def get_serializer_class(self):
    if self.request.user.is_superuser:
      return self.admin_serializer_class    
    elif self.action in ["partial_update", "update", "retrieve", "by_username"]:
        user = self.object
        if self.request.user == user or self.request.user.is_superuser:
            return self.admin_serializer_class

    return self.serializer_class

This works for me and i did not experience any side effects until now. Can i leave that in or will this produce errors somewhere?

Thanks!

manfrede avatar Jan 21 '19 13:01 manfrede

I'm just digging into the API myself and finding this to still be the case. I agree either the documentation needs to be updated or the code fixed to return email to match the documentation (my preference).

In the meantime I guess I'll issue separate queries in order to get the email. Thanks all for a great open product with an API!

chrisfromredfin avatar Jul 07 '22 23:07 chrisfromredfin