Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

REST API: for user endpoint return selected values and remove password #777

Closed
waychal opened this issue Oct 17, 2017 · 5 comments
Closed

REST API: for user endpoint return selected values and remove password #777

waychal opened this issue Oct 17, 2017 · 5 comments
Assignees
@ltalirz @waychal
Labels
topic/rest-api
Milestone
v0.10.0

Comments

@waychal
Copy link
Contributor

waychal commented Oct 17, 2017

In REST API, for user endpoint return selected values like first_name, last_name, id, date_joined, email, institution, etc. and remove password
@waychal waychal added this to the v0.10.0 milestone Oct 17, 2017
@waychal waychal self-assigned this Oct 17, 2017
@waychal
Copy link
Contributor Author

waychal commented Oct 17, 2017

All endpoints of the user will be removed for security reasons.
In api.py user endpoints are commented and code is not completely removed. Resource and translator class is still there but not used.

@waychal
Copy link
Contributor Author

waychal commented Oct 18, 2017

merged pull request successfully

@waychal waychal closed this as completed Oct 18, 2017
@waychal waychal reopened this Oct 24, 2017
@waychal
Copy link
Contributor Author

waychal commented Oct 24, 2017

Remove user documentation

@ltalirz
Copy link
Member

ltalirz commented Oct 24, 2017
edited
Loading

@waychal I'm reading through the documentation of the restapi and I'm starting to wonder:
Does it really make sense to remove the users endpoint completely?
The list of users is something one could anyhow get from the database in other ways I guess (unless we want to completely hide any information about the users).
Completely hiding user information is not practical, it is an important part of the provenance and we reference the user ids in different places (e.g. the groups endpoint).

The main security concern was that the password field (although currently unused) was shown.
Why not simply hide the password field (and, in materialscloud, also anything related to authentication)?

@sphuber
Copy link
Contributor

sphuber commented Nov 8, 2017

Fixed in PR #878

@sphuber sphuber closed this as completed Nov 8, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ltalirz ltalirz

@waychal waychal

Labels
topic/rest-api
Projects
None yet
Milestone
v0.10.0
Development

No branches or pull requests
3 participants
@ltalirz @sphuber @waychal