[FIX] "*.members" rest api being useless and only returning usernames#8147
Conversation
|
am I wrong or I could exploit this to get any user's field? (waiting heroku deployment to test it) |
|
You're not wrong 👎 We almost need a list of fields in the system which a normal user can access and which ones an admin can access. I can change things so that only the |
|
I would say to change it so only admins could request any additional field. |
|
Any chance to return the user avatar on this rest api call? Because we always show the avatar when we need to see the member list of a room. |
|
@filipedelimabrito the |
|
Thanks, but how can I get the user avatar if the customization allow me it? Anyway, this is a call that requires authentication, so only a registered user can see (in the case if the customization allows it) the member list of a room. |
|
@filipedelimabrito For example: https://demo.rocket.chat/avatar/bradley.hilton |
| }); | ||
|
|
||
| const ourFields = Object.assign({ _id: 1, username: 1, status: 1 }, fields, RocketChat.API.v1.defaultFieldsToExclude); | ||
| const users = RocketChat.models.Users.find({ username: { $in: members } }, { fields: ourFields }).fetch(); |
There was a problem hiding this comment.
How heavy is this find on large rooms?
What about use cache for that?
RocketChat.models.Subscriptions.find({rid: 'GENERAL'}).forEach(item => console.log(item._user))
There was a problem hiding this comment.
It's limited to 50 by default but users can request more and if they request a ton, then that load is on them.
…list api for that
[FIX] "*.members" rest api being useless and only returning usernames
5 participants
@RocketChat/core
Closes #8116