1011220 - Vouched-user API keys have "public"-level access to user fields

Status: VERIFIED FIXED

(Participation Infrastructure :: Phonebook, defect)

Description

[Justin Crawford [:hoosteeno] [:jcrawford]]

When we undertake bug 1011209, we'll create a mechanism for any vouched user of Mozillians.org to get an API key. 

These API keys will have "public"-level access to Mozillians.org data. In the UI that means they can search for users and results will include users who have at least one public field. In the API it means the holders of these keys can access the following resources:

* /users/
Vouched-user API keys can request information from the /users/ endpoint and will get a response including users matching the request parameters who have at least one public field. The fields returned with user records will be only those marked as public.

* /lookup-user/?email=...
Vouched-user API keys can lookup a user by the login email address associated with the user account. The response for this will include at least the email address sent in the request, the user's vouched status, and a (non-PII-leaking) link to a user resource. For example, if the requested record has no public fields, the response look something like this:

{ email=foo@bar.org, vouched=true(false), resource=/user/user_number }

And if the requested record has public fields, the response will look something like this:

{ email=foo@bar, vouched=true(false), resource=/user/user_number, public_field_1=foo, public_field_2=bar, ... }

Comment 1

[Giorgos Logiotatidis [:giorgos]]

De-assigning myself since I'm not working on mozillians now.

Comment 2

[John Giannelos [:nemo-yiannis]]

Merged here: https://github.com/mozilla/mozillians/pull/1152