Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PATCH: Allow filtering by customFields in user queries
SAPI’s `find_rc_user_by_sapi_user_id` calls RC’s `users.list` API endpoint with `/api/v1/users.list?query={"customFields.sa_id": #{sapi_user_id}}` This call fails under vanilla RC 4.8.4 with Error: Invalid attribute: customFields.sa_id [error-invalid-query] at Object.get (app/api/server/v1/users.js:330:11) This problem is related to the Upstream issue RocketChat#25722 "API Invalid query parameter provided" and is caused by Upstream PR RocketChat#25648 "Chore: Rest API query parameters handling" commit 31ae30f which limited which MongoDB query filters may be passed in via the RC API. That PR was correct to restrict the query, but did not whitelist enough fields. SAPI’s current integration with RocketChat depends on `customFields` being exposed. Security Considerations: Although none of SAPI’s customFields contain sensitive data, other RC installations might indeed store sensitive data there. It’s not clear, therefore, whether this patch should be PR’d upstream.
- Loading branch information