Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions api/docs/space-api-docs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -193,8 +193,9 @@ paths:
type: string
description: |
Search query to match against usernames (case-insensitive regex).
- If provided and not empty: performs search filtering
- If not provided or empty: returns all users (ADMIN required)
- If provided with 4 or more characters: performs search filtering
- If not provided: returns all users (ADMIN required)
- If provided with less than 4 characters: returns users that match the filter (ADMIN required)
example: john
- name: limit
in: query
Expand Down
4 changes: 2 additions & 2 deletions api/src/main/controllers/UserController.ts
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,8 @@ class UserController {
return res.status(401).send({ error: 'Authentication required' });
}

if (q.length === 0 && req.user.role !== 'ADMIN') {
return res.status(403).send({ error: 'PERMISSION ERROR: Only admins can retrieve the full user list without a search query' });
if (q.length < 4 && req.user.role !== 'ADMIN') {
return res.status(403).send({ error: 'PERMISSION ERROR: Only admins can retrieve the full user list without providing at least 4 characters in the search query' });
}

const searchLimit = limit ? parseInt(limit, 10) : 10;
Expand Down
45 changes: 45 additions & 0 deletions api/src/test/user.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -388,6 +388,51 @@ describe('User API routes', function () {
expect(response.body).toHaveProperty('pagination');
});
});

describe('ACCESS CONTROL: USER role restrictions', function () {
it('returns 403 when USER tries to list users without q parameter', async function () {
const user = await createTestUser('USER', `user_no_q_${Date.now()}`);
trackUserForCleanup(user);

const response = await request(app)
.get(`${baseUrl}/users`)
.set('x-api-key', user.apiKey);

expect(response.status).toBe(403);
expect(response.body.error).toBeDefined();
});

it('returns 403 when USER provides q with fewer than 4 characters', async function () {
const user = await createTestUser('USER', `user_short_q_${Date.now()}`);
trackUserForCleanup(user);

const response = await request(app)
.get(`${baseUrl}/users?q=abc`)
.set('x-api-key', user.apiKey);

expect(response.status).toBe(403);
expect(response.body.error).toBeDefined();
});

it('returns 200 when USER provides q with 4 or more characters', async function () {
const requester = await createTestUser('USER', `user_q_ok_${Date.now()}`);
const match1 = await createTestUser('USER', `match_user_01_${Date.now()}`);
const match2 = await createTestUser('USER', `match_user_02_${Date.now()}`);

trackUserForCleanup(requester);
trackUserForCleanup(match1);
trackUserForCleanup(match2);

const response = await request(app)
.get(`${baseUrl}/users?q=match_user`)
.set('x-api-key', requester.apiKey);

expect(response.status).toBe(200);
expect(response.body).toHaveProperty('data');
expect(Array.isArray(response.body.data)).toBeTruthy();
expect(response.body.data.length).toBeGreaterThanOrEqual(2);
});
});
});


Expand Down
2 changes: 1 addition & 1 deletion frontend/src/pages/members/index.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ export default function MembersPage() {
const trimmedQuery = userSearchQuery.trim();
latestSearchQueryRef.current = trimmedQuery;

if (!trimmedQuery || trimmedQuery.length < 2) {
if (!trimmedQuery || trimmedQuery.length < 4) {
setSearchResults([]);
setShowDropdown(false);
return;
Expand Down
Loading