challenge-api icon indicating copy to clipboard operation
challenge-api copied to clipboard

Published 20 hours ago verified publisher icon topcoder-platform

Get challenges which particular user has access to by admin/m2m

Open maxceem opened this issue 3 years ago • 2 comments

We have endpoint GET /v5/challenges which returns the list of the challenges. Some challenges are private and would be only returned to the users who belong to particular groups.

  • At the moment this endpoint decides which challenges to return based on the user who called this endpoint.

  • We would like to be able to get a list of the challenges by admin/m2m token as another sees it like this:

    GET /v5/challenges?viewAsUserId=123456

    or

    GET /v5/challenges?canViewUserId=123456

Reasons

  • We are working on performance testing for Challenge API and for Recommender API. For this purpose we have to get the list of the challenges using various users. At the moment the only way to do so is to provide credentials of such users and login on behalf of these users. This is extremely insecure, especially on production. If we could request the list of the challenges on behalf of another user using M2M we could test performance without introducing security risks.
  • Lakshmi mentioned, that Topcoder Support has a need to see a list of the challenges as another user sees it to localize the issues.
  • We are also working on the Challenge Recommender API, which recommends challenges based on particular user history. It would be essential for testing, issues debugging and performance testing to be able to get the recommendations for a particular user. For this purpose, Recommender API should be able to get the list of the challenge as some user can see it from Challenge API using m2m token.

I also believe that this feature is not only a solution for particular problems listed above but it also a generally reasonable feature for Challenge API. In other words, such an endpoint would answer the question: what challenges a particular user has access to. I think many Topcoder services might need an answer to such a question and this feature would be also useful for other tasks.

Security

  • There are no security risks, as admins and m2m can already see all the challenges. So this feature would only filter the list of challenges returned but not extend it.

Technical Complexity

  • It should very easy to implement this filter. Basically, instead of getting groups of the user using authenticated user's id, we would have to use viewAsUserId / canViewUserId from the query https://github.com/topcoder-platform/challenge-api/blob/develop/src/services/ChallengeService.js#L400

cc @ThomasKranitsas @rootelement @mtwomey @lakshmiathreya @codejamtc @RishiRajSahu

maxceem avatar Apr 10 '21 08:04 maxceem