Closed
Bug 864626
Opened 11 years ago
Closed 11 years ago
Consider returning email in search results for authenticated users
Categories
(Webmaker Graveyard :: MakeAPI, defect)
Webmaker Graveyard
MakeAPI
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mjschranz, Unassigned)
Details
While testing Scott's patch for searching by email I was puzzled at first that I wasn't getting email in the results before remembering the patch I landed. Then it hit me, how can I easily know from the consumers perspective( our apps ) that it is returning the correct data when filtering on email? I think for security reasons we definitely want it turned off by default, but it seems sane to me that authenticated users should be able to see the email in the results that come back. Thoughts?
Flags: needinfo?(swex)
Flags: needinfo?(scott)
Flags: needinfo?(jon)
Flags: needinfo?(david.humphrey)
Flags: needinfo?(chris)
Comment 1•11 years ago
|
||
Hm, why do you ever need the email returned? Do you need to confirm the data you requested is in fact the data you requested? Is there a reason it would not be the user's data? I think this is why searching on email needs to be possible while searching something else, because you cannot go back over the data and search again. It does sound reasonable to return the email to authenticated users if we have a reason to do so.
Flags: needinfo?(scott)
Comment 2•11 years ago
|
||
-1 to getting emails back. I would personally prefer not to have my email being turned up in other peoples search results. I see no reason that authenticated or anonymous requests to the api would ever need to get the email address of the creator. IMHO, it should be a webmaker username and not an email.
Flags: needinfo?(chris)
Comment 3•11 years ago
|
||
Yeah, Chris is spot on. Arguably, the MakeAPI shouldn't even store email addresses; it should store some webmaker user id.
Flags: needinfo?(jon)
Reporter | ||
Comment 4•11 years ago
|
||
Webmaker user id is too specific. In an ideal world the schema should support makes that aren't coming from our tools.
Comment 5•11 years ago
|
||
Can you not sanitize things for the public (i.e., from browser) case, and leave this in for the internal, basic auth case (i.e., from one of our node apps)? Just strip the email when you had it out to the public.
Flags: needinfo?(david.humphrey)
Comment 6•11 years ago
|
||
With usernames in place this feels resolved.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•11 years ago
|
Flags: needinfo?(swex)
You need to log in
before you can comment on or make changes to this bug.
Description
•