github-starred/vikunja
2
0
Fork 0
mirror of https://github.com/go-vikunja/vikunja.git synced 2026-05-20 18:23:10 -05:00
Code Issues 690 Packages Projects Releases 11 Wiki Activity
Files
feat-huma-api-v2-migration
vikunja/pkg/user/users_project.go
kolaente 22d82e292b feat(user): always include own bots in user search 
User search previously filtered bots only when they happened to match the
search string. That produced two bad behaviours:

1. Bots owned by other users could surface on an exact-username match,
   leaking them into assignee pickers and similar UI.
2. A user could not reliably find their own bots by typing a partial
   name, so bots became awkward to assign to tasks.

Change ListUsers to treat bot ownership explicitly: the existing match
branch excludes rows owned by someone else, and a second branch always
returns bots owned by the calling user. The own-bots branch also
respects any AdditionalCond passed in so project-scoped listings don't
start leaking bots from outside the project.
2026-05-01 14:44:10 +00:00

208 lines
5.2 KiB
Go
Raw Permalink Blame History

// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package user
import (
"strings"
"code.vikunja.io/api/pkg/config"
"code.vikunja.io/api/pkg/db"
"xorm.io/builder"
"xorm.io/xorm"
"xorm.io/xorm/schemas"
)
type ProjectUserOpts struct {
AdditionalCond builder.Cond
ReturnAllIfNoSearchProvided bool
MatchFuzzily bool
}
// ListUsers returns a list with all users, filtered by an optional search string
func ListUsers(s *xorm.Session, search string, currentUser *User, opts *ProjectUserOpts) (users []*User, err error) {
if opts == nil {
opts = &ProjectUserOpts{}
}
// Prevent searching for placeholders
search = strings.ReplaceAll(search, "%", "")
if (search == "" || strings.ReplaceAll(search, " ", "") == "") && !opts.ReturnAllIfNoSearchProvided {
return
}
conds := []builder.Cond{}
// Subquery: find user IDs that share an external team with the current user
externalTeamMemberIDs := builder.Select("tm2.user_id").
From("team_members tm1").
Join("INNER", "team_members tm2", "tm1.team_id = tm2.team_id").
Join("INNER", "teams t", "t.id = tm1.team_id").
Where(builder.And(
builder.Eq{"tm1.user_id": currentUser.ID},
builder.Neq{"t.external_id": ""},
builder.Neq{"tm2.user_id": currentUser.ID},
))
queryParts := strings.Split(search, ",")
if search != "" {
for _, queryPart := range queryParts {
if opts.MatchFuzzily {
conds = append(conds,
db.ILIKE("name", queryPart),
db.ILIKE("username", queryPart),
db.ILIKE("email", queryPart),
)
continue
}
var usernameCond builder.Cond = builder.Eq{"username": queryPart}
if db.Type() == schemas.POSTGRES {
usernameCond = builder.Expr("username ILIKE ?", queryPart)
}
if db.Type() == schemas.SQLITE {
usernameCond = builder.Expr("username = ? COLLATE NOCASE", queryPart)
}
conds = append(conds,
usernameCond,
builder.And(
db.ILIKE("name", queryPart),
builder.Eq{"discoverable_by_name": true},
),
// External team bypass: match by name or email without discoverability check
builder.And(
builder.In("id", externalTeamMemberIDs),
builder.Or(
db.ILIKE("name", queryPart),
builder.Eq{"email": queryPart},
),
),
)
}
}
if !opts.MatchFuzzily {
conds = append(conds,
builder.And(
builder.In("email", queryParts),
builder.Eq{"discoverable_by_email": true},
),
)
}
cond := builder.Or(conds...)
if opts.AdditionalCond != nil {
cond = builder.And(
cond,
opts.AdditionalCond,
)
}
if config.ServiceEnableOpenIDTeamUserOnlySearch.GetBool() {
teamMemberCond := builder.In("id", builder.Select("user_id").
From("team_members").
Where(builder.In("team_id",
builder.Select("team_id").
From("team_members").
Where(builder.Eq{"team_members.user_id": currentUser.ID}),
)),
)
if !opts.MatchFuzzily {
cond = builder.And(
cond,
builder.Or(
teamMemberCond,
builder.And(
builder.In("email", queryParts),
builder.Eq{"discoverable_by_email": true},
),
),
)
} else {
cond = builder.And(
cond,
teamMemberCond,
)
}
}
notSomeoneElsesBot := builder.Or(
builder.IsNull{"bot_owner_id"},
builder.Eq{"bot_owner_id": 0},
builder.Eq{"bot_owner_id": currentUser.ID},
)
// Own bots: filtered by the search string when one is provided (matched
// against username and name), but bypass the discoverable_by_name flag
// regular users have. Without a search, ListUsers only returns rows when
// ReturnAllIfNoSearchProvided is set, so we surface own bots there too.
var ownBotCond builder.Cond = builder.Eq{"bot_owner_id": currentUser.ID}
if search != "" {
botSearchConds := []builder.Cond{}
for _, queryPart := range queryParts {
if opts.MatchFuzzily {
botSearchConds = append(botSearchConds,
db.ILIKE("name", queryPart),
db.ILIKE("username", queryPart),
)
continue
}
botSearchConds = append(botSearchConds,
db.ILIKE("username", queryPart),
db.ILIKE("name", queryPart),
)
}
ownBotCond = builder.And(
builder.Eq{"bot_owner_id": currentUser.ID},
builder.Or(botSearchConds...),
)
}
err = s.
Where(builder.Or(
builder.And(cond, notSomeoneElsesBot),
ownBotCond,
)).
OrderBy("id").
Find(&users)
outer:
for _, u := range users {
for _, part := range strings.Split(search, ",") {
if u.Email == part {
continue outer
}
}
u.Email = ""
}
return
}
// ListAllUsers returns all users
func ListAllUsers(s *xorm.Session) (users []*User, err error) {
err = s.Find(&users)
return
}
Reference in New Issue View Git Blame Copy Permalink