currentUser might not be fully populated

Created on 2 August 2023, over 1 year ago

Problem/Motivation

When a View returns rows with permission checks, a fully populated User object is required. However, when a user accesses the JSON API via an OAuth Bearer token using the Simple OAuth (OAuth2) & OpenID Connect → module, the provided User object is incomplete. Consequently, the response returned is that of a generic authenticated user, not a response based on the specific user's roles and permissions.

Steps to Reproduce

Create a View accessible only to authenticated users, with the displayed entities being determined by user permissions (roles).
Create two users with different permissions, each of whom should see different view outputs.
Access the /jsonapi/views/[view_name]/[view_page] endpoint with bearer tokens for each user.

The returned JSON will be identical for both users, which is incorrect.

Proposed Resolution

Fully reload the User object after authentication. This should ensure the User object is fully populated and can be used correctly for permission checks.

🐛 Bug report

Status

Active

Version

1.1

Component

Code

Created by

🇬🇧United Kingdom seogow

Live updates comments and jobs are added and updated live.

Bug report

Comments & Activities

Issue created by @seogow
Comment over 1 year ago →
🇬🇧United Kingdom seogow

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024