create users findAll service for superusers (#996)

maproulette · Dec 8, 2022 · 0ed5b37 · 0ed5b37
1 parent ac83268
commit 0ed5b37
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 0 deletions.
diff --git a/app/org/maproulette/framework/controller/UserController.scala b/app/org/maproulette/framework/controller/UserController.scala
@@ -534,4 +534,26 @@ class UserController @Inject() (
       )
     }
   }
+
+  /**
+    * Uses the search parameters from the query string to find users
+    *
+    * @param limit limits the amount of results returned
+    * @param page paging mechanism for limited results
+    * @param sort sorts users asc or desc
+    * @return A list of challenges matching the query string parameters
+    */
+  def extendedFind(limit: Int, page: Int, sort: String): Action[AnyContent] =
+    Action.async { implicit request =>
+      this.sessionManager.userAwareRequest { implicit user =>
+        if (user.get != None) {
+          val users = this.serviceManager.user.extendedFind(user.get)
+          Ok(Json.toJson(users))
+        } else {
+          throw new IllegalAccessException(
+            "User not found or does not have access rights"
+          )
+        }
+      }
+    }
 }
diff --git a/app/org/maproulette/framework/service/UserService.scala b/app/org/maproulette/framework/service/UserService.scala
@@ -112,6 +112,28 @@ class UserService @Inject() (
       }
     }
 
+  /**
+    * Fetches a list of users, for security we only
+    * allow super users access to this function
+    *
+    * @param user     The user making the request
+    * @return An optional user object, if none then not found
+    */
+  def extendedFind(user: User): List[User] =
+    // only execute this kind of request if the user is a super user
+    if (permission.isSuperUser(user)) {
+      this.query(
+        Query.simple(
+          List(BaseParameter(User.FIELD_ID, -999, Operator.NE))
+        ),
+        user
+      )
+    } else {
+      throw new IllegalAccessException(
+        "Only Superusers are allowed to use this service"
+      )
+    }
+
   /**
     * Allow users to search for other users by OSM username.
     *

diff --git a/conf/v2_route/user.api b/conf/v2_route/user.api
@@ -219,6 +219,32 @@ GET     /users/find/:username                          @org.maproulette.framewor
 GET     /users/find                                    @org.maproulette.framework.controller.UserController.searchUserByOSMUsername(username:String ?= "", limit:Int ?= 10)
 ###
 # tags: [ User ]
+# summary: Get a list of users
+# produces: [ application/json ]
+# description: Retrieves list of matching users
+# responses:
+#   '200':
+#     description: The retrieved users
+#     schema:
+#       $ref: '#/definitions/org.maproulette.framework.model.User'
+#   '401':
+#     description: The user is not authorized to make this request
+# parameters:
+#   - name: apiKey
+#     in: header
+#     description: The user's apiKey to authorize the request
+#     required: true
+#     type: string
+#   - name: limit
+#     in: query
+#     description: Limit the number of results returned in the response. Default value is 10.
+#   - name: page
+#     in: query
+#     description: Used in conjunction with the limit parameter to page through X number of responses.
+###
+GET     /users                                         @org.maproulette.framework.controller.UserController.extendedFind(limit:Int ?= 10, page:Int ?= 0, sort:String ?= "")
+###
+# tags: [ User ]
 # summary: Retrieves Users Saved Challenged
 # produces: [ application/json ]
 # description: Retrieves that list of challenges that has been saved by the User