Restrict access to store API
What does this MR do?
https://foodsharing.freshdesk.com/helpdesk/tickets/1466
Some more restrictions, similar to !1944 (merged). Restricts the data returned by /api/stores/{storeId}:
- all details for member of the store team (as before)
- only basic information (store name, id, region, coordinates, cooperation status, team status, chain, and store managers) for foodsavers who are not in the team
- a 401 error without any data for everyone else including foodsharers
How confident are you it won't break things if deployed?
Very sure. It can't break anything because the endpoint seems not to be in use yet (I'm not sure why we have it at all, but we might use it in the future).
How to test
Steps a reviewer can take to verify that this MR does what it says it does e.g.
- Checkout branch locally
- Check the response from http://localhost:18080/api/stores/1 for different cases:
- not logged in: returns 401
- logged in as user1: returns 401
- logged in as user2 if not a member of the store: only basic information
- logged in as user2 if a team member or userbot: all information
Checklist
-
added a test, or explain why one is not needed/possible... -
no unrelated changes -
asked someone for a code review -
set a "for:" label to indicate who will be affected by this change -
use "state:" labels to track this MR's state until it was beta tested -
added an entry to CHANGELOG.md -
add a short text that can be used in the release notes -
Once your MR has been merged, you are responsible to create a testing issue in Beta Testing Repo: - Consider writing a detailed description in German.
- Describe in a few sentences, what should be tested from a user perspective.
- Also mention different settings (e.g. different browsers, roles, ...). how this change can be tested.
- Be aware, that also non technical people should understand.
Release notes text
(A short text that will appear in the release notes and describes the change for non-technical people. Not always necessary, e.g. not for refactoring.)