fix(groups): fix unauthenticated access to groups because of missing read:group:members permission

The permission in question is now removed Closes #1311 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2023-06-21 17:47:10 +02:00
parent 93f175da2c
commit 3714925896
5 changed files with 4 additions and 12 deletions
--- a/lib/graphql/authorization/app_scope.ex
+++ b/lib/graphql/authorization/app_scope.ex
@@ -67,7 +67,6 @@ defmodule Mobilizon.GraphQL.Authorization.AppScope do
      :"read:group:events",
      :"read:group:discussions",
      :"read:group:resources",
-      :"read:group:members",
      :"read:group:followers",
      :"read:group:todo_lists",
      :"read:group:activities"
--- a/lib/graphql/schema/actors/group.ex
+++ b/lib/graphql/schema/actors/group.ex
@@ -125,7 +125,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.GroupType do
      description: "Whether the group is opened to all or has restricted access"
    )

-    field :members, :paginated_member_list, meta: [private: true, rule: :"read:group:members"] do
+    field :members, :paginated_member_list do
      arg(:name, :string, description: "A name to filter members by")
      arg(:page, :integer, default_value: 1, description: "The page in the paginated member list")
      arg(:limit, :integer, default_value: 10, description: "The limit of members per page")
--- a/lib/graphql/schema/actors/member.ex
+++ b/lib/graphql/schema/actors/member.ex
@@ -38,7 +38,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.MemberType do
  A paginated list of members
  """
  object :paginated_member_list do
-    meta(:authorize, :user)
+    meta(:authorize, :all)
    field(:elements, list_of(:member), description: "A list of members")
    field(:total, :integer, description: "The total number of elements in the list")
  end