Add permission checks to API
See https://foodsharing.freshdesk.com/a/tickets/1458
What does this MR do?
Adds permission checks to some REST endpoints that didn't have any yet, especially the list of past pickups that includes personal data.
How confident are you it won't break things if deployed?
Very sure
How to test
Steps a reviewer can take to verify that this MR does what it says it does e.g.
- Checkout branch locally
- Login as foodsaver
- Go to your profile and test if you can see past pickups
- Check that you can't access https://localhost:18080/api/foodsaver/{userId}/pickups/200001-01T00:00:00.000Z/2099-12-31T23:00:00.000Z for any other user id
Checklist
-
added a test, or explain why one is not needed/possible... -
no unrelated changes -
asked someone for a code review -
set a "for:" label to indicate who will be affected by this change -
use "state:" labels to track this MR's state until it was beta tested -
added an entry to CHANGELOG.md -
add a short text that can be used in the release notes -
Once your MR has been merged, you are responsible to create a testing issue in Beta Testing Repo: - Consider writing a detailed description in German.
- Describe in a few sentences, what should be tested from a user perspective.
- Also mention different settings (e.g. different browsers, roles, ...). how this change can be tested.
- Be aware, that also non technical people should understand.
Release notes text
(A short text that will appear in the release notes and describes the change for non-technical people. Not always necessary, e.g. not for refactoring.)