diff --git a/app/config/specs/open-api3-1.6.x-console.json b/app/config/specs/open-api3-1.6.x-console.json index ecd295509f..4fa3f5d69e 100644 --- a/app/config/specs/open-api3-1.6.x-console.json +++ b/app/config/specs/open-api3-1.6.x-console.json @@ -20670,6 +20670,99 @@ } } }, + "\/projects\/{projectId}\/auth\/memberships-privacy": { + "patch": { + "summary": "Update project team sensitive attributes", + "operationId": "projectsUpdateMembershipsPrivacy", + "tags": [ + "projects" + ], + "description": "", + "responses": { + "200": { + "description": "Project", + "content": { + "application\/json": { + "schema": { + "$ref": "#\/components\/schemas\/project" + } + } + } + } + }, + "x-appwrite": { + "method": "updateMembershipsPrivacy", + "weight": 161, + "cookies": false, + "type": "", + "deprecated": false, + "demo": "projects\/update-memberships-privacy.md", + "edit": "https:\/\/github.com\/appwrite\/appwrite\/edit\/master", + "rate-limit": 0, + "rate-time": 3600, + "rate-key": "url:{url},ip:{ip}", + "scope": "projects.write", + "platforms": [ + "console" + ], + "packaging": false, + "offline-model": "", + "offline-key": "", + "offline-response-key": "$id", + "auth": { + "Project": [] + } + }, + "security": [ + { + "Project": [] + } + ], + "parameters": [ + { + "name": "projectId", + "description": "Project unique ID.", + "required": true, + "schema": { + "type": "string", + "x-example": "" + }, + "in": "path" + } + ], + "requestBody": { + "content": { + "application\/json": { + "schema": { + "type": "object", + "properties": { + "userName": { + "type": "boolean", + "description": "Set to true to show userName to members of a team.", + "x-example": false + }, + "userEmail": { + "type": "boolean", + "description": "Set to true to show email to members of a team.", + "x-example": false + }, + "mfa": { + "type": "boolean", + "description": "Set to true to show mfa to members of a team.", + "x-example": false + } + }, + "required": [ + "userName", + "userEmail", + "mfa" + ] + } + } + } + } + } + }, "\/projects\/{projectId}\/auth\/mock-numbers": { "patch": { "summary": "Update the mock numbers for the project", @@ -21078,87 +21171,6 @@ } } }, - "\/projects\/{projectId}\/auth\/teams-sensitive-attributes": { - "patch": { - "summary": "Update project team sensitive attributes", - "operationId": "projectsUpdateTeamsSensitiveAttributes", - "tags": [ - "projects" - ], - "description": "", - "responses": { - "200": { - "description": "Project", - "content": { - "application\/json": { - "schema": { - "$ref": "#\/components\/schemas\/project" - } - } - } - } - }, - "x-appwrite": { - "method": "updateTeamsSensitiveAttributes", - "weight": 161, - "cookies": false, - "type": "", - "deprecated": false, - "demo": "projects\/update-teams-sensitive-attributes.md", - "edit": "https:\/\/github.com\/appwrite\/appwrite\/edit\/master", - "rate-limit": 0, - "rate-time": 3600, - "rate-key": "url:{url},ip:{ip}", - "scope": "projects.write", - "platforms": [ - "console" - ], - "packaging": false, - "offline-model": "", - "offline-key": "", - "offline-response-key": "$id", - "auth": { - "Project": [] - } - }, - "security": [ - { - "Project": [] - } - ], - "parameters": [ - { - "name": "projectId", - "description": "Project unique ID.", - "required": true, - "schema": { - "type": "string", - "x-example": "" - }, - "in": "path" - } - ], - "requestBody": { - "content": { - "application\/json": { - "schema": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "description": "Set to true to show sensitive attributes to team members.", - "x-example": false - } - }, - "required": [ - "enabled" - ] - } - } - } - } - } - }, "\/projects\/{projectId}\/auth\/{method}": { "patch": { "summary": "Update project auth method status. Use this endpoint to enable or disable a given auth method for this project.", @@ -36065,9 +36077,19 @@ "description": "Whether or not to send session alert emails to users.", "x-example": true }, - "teamsSensitiveAttributes": { + "membershipsUserName": { "type": "boolean", - "description": "Whether or not to show sensitive attributes in the teams API.", + "description": "Whether or not to show user names in the teams membership response.", + "x-example": true + }, + "membershipsUserEmail": { + "type": "boolean", + "description": "Whether or not to show user emails in the teams membership response.", + "x-example": true + }, + "membershipsMfa": { + "type": "boolean", + "description": "Whether or not to show user MFA status in the teams membership response.", "x-example": true }, "oAuthProviders": { @@ -36275,7 +36297,9 @@ "authPersonalDataCheck", "authMockNumbers", "authSessionAlerts", - "teamsSensitiveAttributes", + "membershipsUserName", + "membershipsUserEmail", + "membershipsMfa", "oAuthProviders", "platforms", "webhooks", diff --git a/app/config/specs/open-api3-latest-console.json b/app/config/specs/open-api3-latest-console.json index ecd295509f..4fa3f5d69e 100644 --- a/app/config/specs/open-api3-latest-console.json +++ b/app/config/specs/open-api3-latest-console.json @@ -20670,6 +20670,99 @@ } } }, + "\/projects\/{projectId}\/auth\/memberships-privacy": { + "patch": { + "summary": "Update project team sensitive attributes", + "operationId": "projectsUpdateMembershipsPrivacy", + "tags": [ + "projects" + ], + "description": "", + "responses": { + "200": { + "description": "Project", + "content": { + "application\/json": { + "schema": { + "$ref": "#\/components\/schemas\/project" + } + } + } + } + }, + "x-appwrite": { + "method": "updateMembershipsPrivacy", + "weight": 161, + "cookies": false, + "type": "", + "deprecated": false, + "demo": "projects\/update-memberships-privacy.md", + "edit": "https:\/\/github.com\/appwrite\/appwrite\/edit\/master", + "rate-limit": 0, + "rate-time": 3600, + "rate-key": "url:{url},ip:{ip}", + "scope": "projects.write", + "platforms": [ + "console" + ], + "packaging": false, + "offline-model": "", + "offline-key": "", + "offline-response-key": "$id", + "auth": { + "Project": [] + } + }, + "security": [ + { + "Project": [] + } + ], + "parameters": [ + { + "name": "projectId", + "description": "Project unique ID.", + "required": true, + "schema": { + "type": "string", + "x-example": "" + }, + "in": "path" + } + ], + "requestBody": { + "content": { + "application\/json": { + "schema": { + "type": "object", + "properties": { + "userName": { + "type": "boolean", + "description": "Set to true to show userName to members of a team.", + "x-example": false + }, + "userEmail": { + "type": "boolean", + "description": "Set to true to show email to members of a team.", + "x-example": false + }, + "mfa": { + "type": "boolean", + "description": "Set to true to show mfa to members of a team.", + "x-example": false + } + }, + "required": [ + "userName", + "userEmail", + "mfa" + ] + } + } + } + } + } + }, "\/projects\/{projectId}\/auth\/mock-numbers": { "patch": { "summary": "Update the mock numbers for the project", @@ -21078,87 +21171,6 @@ } } }, - "\/projects\/{projectId}\/auth\/teams-sensitive-attributes": { - "patch": { - "summary": "Update project team sensitive attributes", - "operationId": "projectsUpdateTeamsSensitiveAttributes", - "tags": [ - "projects" - ], - "description": "", - "responses": { - "200": { - "description": "Project", - "content": { - "application\/json": { - "schema": { - "$ref": "#\/components\/schemas\/project" - } - } - } - } - }, - "x-appwrite": { - "method": "updateTeamsSensitiveAttributes", - "weight": 161, - "cookies": false, - "type": "", - "deprecated": false, - "demo": "projects\/update-teams-sensitive-attributes.md", - "edit": "https:\/\/github.com\/appwrite\/appwrite\/edit\/master", - "rate-limit": 0, - "rate-time": 3600, - "rate-key": "url:{url},ip:{ip}", - "scope": "projects.write", - "platforms": [ - "console" - ], - "packaging": false, - "offline-model": "", - "offline-key": "", - "offline-response-key": "$id", - "auth": { - "Project": [] - } - }, - "security": [ - { - "Project": [] - } - ], - "parameters": [ - { - "name": "projectId", - "description": "Project unique ID.", - "required": true, - "schema": { - "type": "string", - "x-example": "" - }, - "in": "path" - } - ], - "requestBody": { - "content": { - "application\/json": { - "schema": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "description": "Set to true to show sensitive attributes to team members.", - "x-example": false - } - }, - "required": [ - "enabled" - ] - } - } - } - } - } - }, "\/projects\/{projectId}\/auth\/{method}": { "patch": { "summary": "Update project auth method status. Use this endpoint to enable or disable a given auth method for this project.", @@ -36065,9 +36077,19 @@ "description": "Whether or not to send session alert emails to users.", "x-example": true }, - "teamsSensitiveAttributes": { + "membershipsUserName": { "type": "boolean", - "description": "Whether or not to show sensitive attributes in the teams API.", + "description": "Whether or not to show user names in the teams membership response.", + "x-example": true + }, + "membershipsUserEmail": { + "type": "boolean", + "description": "Whether or not to show user emails in the teams membership response.", + "x-example": true + }, + "membershipsMfa": { + "type": "boolean", + "description": "Whether or not to show user MFA status in the teams membership response.", "x-example": true }, "oAuthProviders": { @@ -36275,7 +36297,9 @@ "authPersonalDataCheck", "authMockNumbers", "authSessionAlerts", - "teamsSensitiveAttributes", + "membershipsUserName", + "membershipsUserEmail", + "membershipsMfa", "oAuthProviders", "platforms", "webhooks", diff --git a/app/config/specs/swagger2-1.6.x-console.json b/app/config/specs/swagger2-1.6.x-console.json index 0c96ba472b..bba9cd9ca3 100644 --- a/app/config/specs/swagger2-1.6.x-console.json +++ b/app/config/specs/swagger2-1.6.x-console.json @@ -21136,6 +21136,100 @@ ] } }, + "\/projects\/{projectId}\/auth\/memberships-privacy": { + "patch": { + "summary": "Update project team sensitive attributes", + "operationId": "projectsUpdateMembershipsPrivacy", + "consumes": [ + "application\/json" + ], + "produces": [ + "application\/json" + ], + "tags": [ + "projects" + ], + "description": "", + "responses": { + "200": { + "description": "Project", + "schema": { + "$ref": "#\/definitions\/project" + } + } + }, + "x-appwrite": { + "method": "updateMembershipsPrivacy", + "weight": 161, + "cookies": false, + "type": "", + "deprecated": false, + "demo": "projects\/update-memberships-privacy.md", + "edit": "https:\/\/github.com\/appwrite\/appwrite\/edit\/master", + "rate-limit": 0, + "rate-time": 3600, + "rate-key": "url:{url},ip:{ip}", + "scope": "projects.write", + "platforms": [ + "console" + ], + "packaging": false, + "offline-model": "", + "offline-key": "", + "offline-response-key": "$id", + "auth": { + "Project": [] + } + }, + "security": [ + { + "Project": [] + } + ], + "parameters": [ + { + "name": "projectId", + "description": "Project unique ID.", + "required": true, + "type": "string", + "x-example": "", + "in": "path" + }, + { + "name": "payload", + "in": "body", + "schema": { + "type": "object", + "properties": { + "userName": { + "type": "boolean", + "description": "Set to true to show userName to members of a team.", + "default": null, + "x-example": false + }, + "userEmail": { + "type": "boolean", + "description": "Set to true to show email to members of a team.", + "default": null, + "x-example": false + }, + "mfa": { + "type": "boolean", + "description": "Set to true to show mfa to members of a team.", + "default": null, + "x-example": false + } + }, + "required": [ + "userName", + "userEmail", + "mfa" + ] + } + } + ] + } + }, "\/projects\/{projectId}\/auth\/mock-numbers": { "patch": { "summary": "Update the mock numbers for the project", @@ -21539,86 +21633,6 @@ ] } }, - "\/projects\/{projectId}\/auth\/teams-sensitive-attributes": { - "patch": { - "summary": "Update project team sensitive attributes", - "operationId": "projectsUpdateTeamsSensitiveAttributes", - "consumes": [ - "application\/json" - ], - "produces": [ - "application\/json" - ], - "tags": [ - "projects" - ], - "description": "", - "responses": { - "200": { - "description": "Project", - "schema": { - "$ref": "#\/definitions\/project" - } - } - }, - "x-appwrite": { - "method": "updateTeamsSensitiveAttributes", - "weight": 161, - "cookies": false, - "type": "", - "deprecated": false, - "demo": "projects\/update-teams-sensitive-attributes.md", - "edit": "https:\/\/github.com\/appwrite\/appwrite\/edit\/master", - "rate-limit": 0, - "rate-time": 3600, - "rate-key": "url:{url},ip:{ip}", - "scope": "projects.write", - "platforms": [ - "console" - ], - "packaging": false, - "offline-model": "", - "offline-key": "", - "offline-response-key": "$id", - "auth": { - "Project": [] - } - }, - "security": [ - { - "Project": [] - } - ], - "parameters": [ - { - "name": "projectId", - "description": "Project unique ID.", - "required": true, - "type": "string", - "x-example": "", - "in": "path" - }, - { - "name": "payload", - "in": "body", - "schema": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "description": "Set to true to show sensitive attributes to team members.", - "default": null, - "x-example": false - } - }, - "required": [ - "enabled" - ] - } - } - ] - } - }, "\/projects\/{projectId}\/auth\/{method}": { "patch": { "summary": "Update project auth method status. Use this endpoint to enable or disable a given auth method for this project.", @@ -36577,9 +36591,19 @@ "description": "Whether or not to send session alert emails to users.", "x-example": true }, - "teamsSensitiveAttributes": { + "membershipsUserName": { "type": "boolean", - "description": "Whether or not to show sensitive attributes in the teams API.", + "description": "Whether or not to show user names in the teams membership response.", + "x-example": true + }, + "membershipsUserEmail": { + "type": "boolean", + "description": "Whether or not to show user emails in the teams membership response.", + "x-example": true + }, + "membershipsMfa": { + "type": "boolean", + "description": "Whether or not to show user MFA status in the teams membership response.", "x-example": true }, "oAuthProviders": { @@ -36791,7 +36815,9 @@ "authPersonalDataCheck", "authMockNumbers", "authSessionAlerts", - "teamsSensitiveAttributes", + "membershipsUserName", + "membershipsUserEmail", + "membershipsMfa", "oAuthProviders", "platforms", "webhooks", diff --git a/app/config/specs/swagger2-latest-console.json b/app/config/specs/swagger2-latest-console.json index 0c96ba472b..bba9cd9ca3 100644 --- a/app/config/specs/swagger2-latest-console.json +++ b/app/config/specs/swagger2-latest-console.json @@ -21136,6 +21136,100 @@ ] } }, + "\/projects\/{projectId}\/auth\/memberships-privacy": { + "patch": { + "summary": "Update project team sensitive attributes", + "operationId": "projectsUpdateMembershipsPrivacy", + "consumes": [ + "application\/json" + ], + "produces": [ + "application\/json" + ], + "tags": [ + "projects" + ], + "description": "", + "responses": { + "200": { + "description": "Project", + "schema": { + "$ref": "#\/definitions\/project" + } + } + }, + "x-appwrite": { + "method": "updateMembershipsPrivacy", + "weight": 161, + "cookies": false, + "type": "", + "deprecated": false, + "demo": "projects\/update-memberships-privacy.md", + "edit": "https:\/\/github.com\/appwrite\/appwrite\/edit\/master", + "rate-limit": 0, + "rate-time": 3600, + "rate-key": "url:{url},ip:{ip}", + "scope": "projects.write", + "platforms": [ + "console" + ], + "packaging": false, + "offline-model": "", + "offline-key": "", + "offline-response-key": "$id", + "auth": { + "Project": [] + } + }, + "security": [ + { + "Project": [] + } + ], + "parameters": [ + { + "name": "projectId", + "description": "Project unique ID.", + "required": true, + "type": "string", + "x-example": "", + "in": "path" + }, + { + "name": "payload", + "in": "body", + "schema": { + "type": "object", + "properties": { + "userName": { + "type": "boolean", + "description": "Set to true to show userName to members of a team.", + "default": null, + "x-example": false + }, + "userEmail": { + "type": "boolean", + "description": "Set to true to show email to members of a team.", + "default": null, + "x-example": false + }, + "mfa": { + "type": "boolean", + "description": "Set to true to show mfa to members of a team.", + "default": null, + "x-example": false + } + }, + "required": [ + "userName", + "userEmail", + "mfa" + ] + } + } + ] + } + }, "\/projects\/{projectId}\/auth\/mock-numbers": { "patch": { "summary": "Update the mock numbers for the project", @@ -21539,86 +21633,6 @@ ] } }, - "\/projects\/{projectId}\/auth\/teams-sensitive-attributes": { - "patch": { - "summary": "Update project team sensitive attributes", - "operationId": "projectsUpdateTeamsSensitiveAttributes", - "consumes": [ - "application\/json" - ], - "produces": [ - "application\/json" - ], - "tags": [ - "projects" - ], - "description": "", - "responses": { - "200": { - "description": "Project", - "schema": { - "$ref": "#\/definitions\/project" - } - } - }, - "x-appwrite": { - "method": "updateTeamsSensitiveAttributes", - "weight": 161, - "cookies": false, - "type": "", - "deprecated": false, - "demo": "projects\/update-teams-sensitive-attributes.md", - "edit": "https:\/\/github.com\/appwrite\/appwrite\/edit\/master", - "rate-limit": 0, - "rate-time": 3600, - "rate-key": "url:{url},ip:{ip}", - "scope": "projects.write", - "platforms": [ - "console" - ], - "packaging": false, - "offline-model": "", - "offline-key": "", - "offline-response-key": "$id", - "auth": { - "Project": [] - } - }, - "security": [ - { - "Project": [] - } - ], - "parameters": [ - { - "name": "projectId", - "description": "Project unique ID.", - "required": true, - "type": "string", - "x-example": "", - "in": "path" - }, - { - "name": "payload", - "in": "body", - "schema": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "description": "Set to true to show sensitive attributes to team members.", - "default": null, - "x-example": false - } - }, - "required": [ - "enabled" - ] - } - } - ] - } - }, "\/projects\/{projectId}\/auth\/{method}": { "patch": { "summary": "Update project auth method status. Use this endpoint to enable or disable a given auth method for this project.", @@ -36577,9 +36591,19 @@ "description": "Whether or not to send session alert emails to users.", "x-example": true }, - "teamsSensitiveAttributes": { + "membershipsUserName": { "type": "boolean", - "description": "Whether or not to show sensitive attributes in the teams API.", + "description": "Whether or not to show user names in the teams membership response.", + "x-example": true + }, + "membershipsUserEmail": { + "type": "boolean", + "description": "Whether or not to show user emails in the teams membership response.", + "x-example": true + }, + "membershipsMfa": { + "type": "boolean", + "description": "Whether or not to show user MFA status in the teams membership response.", "x-example": true }, "oAuthProviders": { @@ -36791,7 +36815,9 @@ "authPersonalDataCheck", "authMockNumbers", "authSessionAlerts", - "teamsSensitiveAttributes", + "membershipsUserName", + "membershipsUserEmail", + "membershipsMfa", "oAuthProviders", "platforms", "webhooks", diff --git a/app/controllers/api/projects.php b/app/controllers/api/projects.php index 5fb774d12e..29e6b591fc 100644 --- a/app/controllers/api/projects.php +++ b/app/controllers/api/projects.php @@ -111,7 +111,9 @@ App::post('/v1/projects') 'personalDataCheck' => false, 'mockNumbers' => [], 'sessionAlerts' => false, - 'teamsSensitiveAttributes' => true, + 'membershipsUserName' => true, + 'membershipsUserEmail' => true, + 'membershipsMfa' => true, ]; foreach ($auth as $method) { @@ -649,23 +651,23 @@ App::patch('/v1/projects/:projectId/auth/session-alerts') $response->dynamic($project, Response::MODEL_PROJECT); }); -App::patch('/v1/projects/:projectId/auth/teams-sensitive-attributes') +App::patch('/v1/projects/:projectId/auth/memberships-privacy') ->desc('Update project team sensitive attributes') ->groups(['api', 'projects']) ->label('scope', 'projects.write') ->label('sdk.auth', [APP_AUTH_TYPE_ADMIN]) ->label('sdk.namespace', 'projects') - ->label('sdk.method', 'updateTeamsSensitiveAttributes') + ->label('sdk.method', 'updateMembershipsPrivacy') ->label('sdk.response.code', Response::STATUS_CODE_OK) ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_PROJECT) ->param('projectId', '', new UID(), 'Project unique ID.') - ->param('enabled', true, new Boolean(true), 'Set to true to show sensitive attributes to team members.') + ->param('userName', true, new Boolean(true), 'Set to true to show userName to members of a team.') + ->param('userEmail', true, new Boolean(true), 'Set to true to show email to members of a team.') + ->param('mfa', true, new Boolean(true), 'Set to true to show mfa to members of a team.') ->inject('response') ->inject('dbForConsole') - ->action(function (string $projectId, bool $enabled, Response $response, Database $dbForConsole) { - $enabled = \strval($enabled) === 'true' || \strval($enabled) === '1'; - + ->action(function (string $projectId, bool $userName, bool $userEmail, bool $mfa, Response $response, Database $dbForConsole) { $project = $dbForConsole->getDocument('projects', $projectId); if ($project->isEmpty()) { @@ -674,7 +676,9 @@ App::patch('/v1/projects/:projectId/auth/teams-sensitive-attributes') $auths = $project->getAttribute('auths', []); - $auths['teamsSensitiveAttributes'] = $enabled; + $auths['membershipsUserName'] = $userName; + $auths['membershipsUserEmail'] = $userEmail; + $auths['membershipsMfa'] = $mfa; $dbForConsole->updateDocument('projects', $project->getId(), $project ->setAttribute('auths', $auths)); diff --git a/app/controllers/api/teams.php b/app/controllers/api/teams.php index 997a6a8039..ff6b14d156 100644 --- a/app/controllers/api/teams.php +++ b/app/controllers/api/teams.php @@ -790,17 +790,25 @@ App::get('/v1/teams/:teamId/memberships') $memberships = array_filter($memberships, fn (Document $membership) => !empty($membership->getAttribute('userId'))); + $membershipsPrivacy = $project->getAttribute('auths', [])['membershipPrivacy'] ?? [ + 'userName' => true, + 'userEmail' => true, + 'mfa' => true, + ]; + $roles = Authorization::getRoles(); $isPrivilegedUser = Auth::isPrivilegedUser($roles); $isAppUser = Auth::isAppUser($roles); - $sensitiveAttributes = $isPrivilegedUser || $isAppUser || ($project->getAttribute('auths', [])['teamsSensitiveAttributes'] ?? true); + $membershipsPrivacy = array_map(function ($privacy) use ($isPrivilegedUser, $isAppUser) { + return $privacy || $isPrivilegedUser || $isAppUser; + }, $membershipsPrivacy); - $memberships = array_map(function ($membership) use ($dbForProject, $team, $sensitiveAttributes) { - if ($sensitiveAttributes) { + $memberships = array_map(function ($membership) use ($dbForProject, $team, $membershipsPrivacy) { + if ($membershipsPrivacy['mfa']) { $user = $dbForProject->getDocument('users', $membership->getAttribute('userId')); - $mfa = $user->getAttribute('mfa', false); + if ($mfa) { $totp = TOTP::getAuthenticatorFromUser($user); $totpEnabled = $totp && $totp->getAttribute('verified', false); @@ -812,13 +820,19 @@ App::get('/v1/teams/:teamId/memberships') } } - $membership - ->setAttribute('mfa', $mfa) - ->setAttribute('userName', $user->getAttribute('name')) - ->setAttribute('userEmail', $user->getAttribute('email')); + $membership->setAttribute('mfa', $mfa); + } + + if ($membershipsPrivacy['userName']) { + $membership->setAttribute('userName', $user->getAttribute('name')); + } + + if ($membershipsPrivacy['userEmail']) { + $membership->setAttribute('userEmail', $user->getAttribute('email')); } $membership->setAttribute('teamName', $team->getAttribute('name')); + return $membership; }, $memberships); @@ -860,13 +874,21 @@ App::get('/v1/teams/:teamId/memberships/:membershipId') throw new Exception(Exception::MEMBERSHIP_NOT_FOUND); } + $membershipsPrivacy = $project->getAttribute('auths', [])['membershipPrivacy'] ?? [ + 'userName' => true, + 'userEmail' => true, + 'mfa' => true, + ]; + $roles = Authorization::getRoles(); $isPrivilegedUser = Auth::isPrivilegedUser($roles); $isAppUser = Auth::isAppUser($roles); - $sensitiveAttributes = $isPrivilegedUser || $isAppUser || ($project->getAttribute('auths', [])['teamsSensitiveAttributes'] ?? true); + $membershipsPrivacy = array_map(function ($privacy) use ($isPrivilegedUser, $isAppUser) { + return $privacy || $isPrivilegedUser || $isAppUser; + }, $membershipsPrivacy); - if ($sensitiveAttributes) { + if ($membershipsPrivacy['mfa']) { $user = $dbForProject->getDocument('users', $membership->getAttribute('userId')); $mfa = $user->getAttribute('mfa', false); @@ -882,10 +904,15 @@ App::get('/v1/teams/:teamId/memberships/:membershipId') } } - $membership - ->setAttribute('mfa', $mfa) - ->setAttribute('userName', $user->getAttribute('name')) - ->setAttribute('userEmail', $user->getAttribute('email')); + $membership->setAttribute('mfa', $mfa); + } + + if ($membershipsPrivacy['userName']) { + $membership->setAttribute('userName', $user->getAttribute('name')); + } + + if ($membershipsPrivacy['userEmail']) { + $membership->setAttribute('userEmail', $user->getAttribute('email')); } $membership->setAttribute('teamName', $team->getAttribute('name')); diff --git a/src/Appwrite/Utopia/Response/Model/Project.php b/src/Appwrite/Utopia/Response/Model/Project.php index 50bc1f300f..f2abf26d9b 100644 --- a/src/Appwrite/Utopia/Response/Model/Project.php +++ b/src/Appwrite/Utopia/Response/Model/Project.php @@ -151,9 +151,21 @@ class Project extends Model 'default' => false, 'example' => true, ]) - ->addRule('teamsSensitiveAttributes', [ + ->addRule('membershipsUserName', [ 'type' => self::TYPE_BOOLEAN, - 'description' => 'Whether or not to show sensitive attributes in the teams API.', + 'description' => 'Whether or not to show user names in the teams membership response.', + 'default' => false, + 'example' => true, + ]) + ->addRule('membershipsUserEmail', [ + 'type' => self::TYPE_BOOLEAN, + 'description' => 'Whether or not to show user emails in the teams membership response.', + 'default' => false, + 'example' => true, + ]) + ->addRule('membershipsMfa', [ + 'type' => self::TYPE_BOOLEAN, + 'description' => 'Whether or not to show user MFA status in the teams membership response.', 'default' => false, 'example' => true, ]) @@ -354,7 +366,9 @@ class Project extends Model $document->setAttribute('authPersonalDataCheck', $authValues['personalDataCheck'] ?? false); $document->setAttribute('authMockNumbers', $authValues['mockNumbers'] ?? []); $document->setAttribute('authSessionAlerts', $authValues['sessionAlerts'] ?? false); - $document->setAttribute('authTeamsSensitiveAttributes', $authValues['teamsSensitiveAttributes'] ?? true); + $document->setAttribute('authMembershipUserName', $authValues['membershipUserName'] ?? true); + $document->setAttribute('authMembershipUserEmail', $authValues['membershipUserEmail'] ?? true); + $document->setAttribute('authMembershipMfa', $authValues['membershipMfa'] ?? true); foreach ($auth as $index => $method) { $key = $method['key']; diff --git a/tests/e2e/Services/Teams/TeamsBaseServer.php b/tests/e2e/Services/Teams/TeamsBaseServer.php index c34b7f5795..6a1d05e9d4 100644 --- a/tests/e2e/Services/Teams/TeamsBaseServer.php +++ b/tests/e2e/Services/Teams/TeamsBaseServer.php @@ -60,12 +60,14 @@ trait TeamsBaseServer $this->assertEquals(true, (new DatetimeValidator())->isValid($response['body']['joined'])); // is null in DB $this->assertEquals(true, $response['body']['confirm']); - $response = $this->client->call(Client::METHOD_PATCH, '/projects/' . $this->getProject()['$id'] . '/auth/teams-sensitive-attributes', array_merge([ + $response = $this->client->call(Client::METHOD_PATCH, '/projects/' . $this->getProject()['$id'] . '/auth/memberships-privacy', array_merge([ 'content-type' => 'application/json', 'x-appwrite-project' => 'console', 'cookie' => 'a_session_console=' . $this->getRoot()['session'], ]), [ - 'enabled' => false, + 'userName' => false, + 'userEmail' => false, + 'mfa' => false, ]); $this->assertEquals(200, $response['headers']['status-code']); @@ -90,12 +92,14 @@ trait TeamsBaseServer /** * Update project settings to show sensitive fields */ - $response = $this->client->call(Client::METHOD_PATCH, '/projects/' . $this->getProject()['$id'] . '/auth/teams-sensitive-attributes', array_merge([ + $response = $this->client->call(Client::METHOD_PATCH, '/projects/' . $this->getProject()['$id'] . '/auth/memberships-privacy', array_merge([ 'content-type' => 'application/json', 'x-appwrite-project' => 'console', 'cookie' => 'a_session_console=' . $this->getRoot()['session'], ]), [ - 'enabled' => true, + 'userName' => true, + 'userEmail' => true, + 'mfa' => true, ]); $this->assertEquals(200, $response['headers']['status-code']); diff --git a/tests/e2e/Services/Teams/TeamsCustomClientTest.php b/tests/e2e/Services/Teams/TeamsCustomClientTest.php index 5720b1ca71..4b22497a9c 100644 --- a/tests/e2e/Services/Teams/TeamsCustomClientTest.php +++ b/tests/e2e/Services/Teams/TeamsCustomClientTest.php @@ -23,12 +23,14 @@ class TeamsCustomClientTest extends Scope $projectId = $this->getProject()['$id']; - $response = $this->client->call(Client::METHOD_PATCH, '/projects/' . $projectId . '/auth/teams-sensitive-attributes', array_merge([ + $response = $this->client->call(Client::METHOD_PATCH, '/projects/' . $projectId . '/auth/memberships-privacy', array_merge([ 'content-type' => 'application/json', 'x-appwrite-project' => 'console', 'cookie' => 'a_session_console=' . $this->getRoot()['session'], ]), [ - 'enabled' => false, + 'userName' => false, + 'userEmail' => false, + 'mfa' => false, ]); $this->assertEquals(200, $response['headers']['status-code']); @@ -53,12 +55,14 @@ class TeamsCustomClientTest extends Scope /** * Update project settings to show sensitive fields */ - $response = $this->client->call(Client::METHOD_PATCH, '/projects/' . $projectId . '/auth/teams-sensitive-attributes', array_merge([ + $response = $this->client->call(Client::METHOD_PATCH, '/projects/' . $projectId . '/auth/memberships-privacy', array_merge([ 'content-type' => 'application/json', 'x-appwrite-project' => 'console', 'cookie' => 'a_session_console=' . $this->getRoot()['session'], ]), [ - 'enabled' => true, + 'userName' => true, + 'userEmail' => true, + 'mfa' => true, ]); $this->assertEquals(200, $response['headers']['status-code']);