Closed Bug 1011220 Opened 6 years ago Closed 5 years ago

Vouched-user API keys have "public"-level access to user fields

Categories

(Participation Infrastructure :: Phonebook, defect)

2015-2.3
defect
Not set

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: hoosteeno, Unassigned)

References

(Blocks 1 open bug)

Details

When we undertake bug 1011209, we'll create a mechanism for any vouched user of Mozillians.org to get an API key. 

These API keys will have "public"-level access to Mozillians.org data. In the UI that means they can search for users and results will include users who have at least one public field. In the API it means the holders of these keys can access the following resources:

* /users/
Vouched-user API keys can request information from the /users/ endpoint and will get a response including users matching the request parameters who have at least one public field. The fields returned with user records will be only those marked as public.

* /lookup-user/?email=...
Vouched-user API keys can lookup a user by the login email address associated with the user account. The response for this will include at least the email address sent in the request, the user's vouched status, and a (non-PII-leaking) link to a user resource. For example, if the requested record has no public fields, the response look something like this:

{ email=foo@bar.org, vouched=true(false), resource=/user/user_number }

And if the requested record has public fields, the response will look something like this:

{ email=foo@bar, vouched=true(false), resource=/user/user_number, public_field_1=foo, public_field_2=bar, ... }
Assignee: nobody → giorgos
Status: NEW → ASSIGNED
De-assigning myself since I'm not working on mozillians now.
Assignee: giorgos → nobody
Status: ASSIGNED → NEW
Merged here: https://github.com/mozilla/mozillians/pull/1152
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Version: other → next
Status: RESOLVED → VERIFIED
Version: next → 2015-2.3
You need to log in before you can comment on or make changes to this bug.