Bug permissions on api users with filters created_before and created_after / not consistent with docs ... and what we can do with others ways
Summary
As user, i can't use api "/users" with filters created_before and created_after. Request http is ok but it's like we have never use previous filters.
Documentation https://docs.gitlab.com/ee/api/users.html says "For non-administrator users"
As, we can have "created_at" info from users api, i think it's normal to got access to created_before and after filters.
Steps to reproduce
- login on gitlab community as user
- do a api request new users https://<your_instance>/api/v4/users?created_after=2024-06-18T00:00:00.060
- Or do a request an old user https://<your_instance>/api/v4/users?created_before=2000-06-18T00:00:00.060
Example Project
NA
What is the expected correct behavior?
I have to see list of users consistent with "created_at"
Relevant logs and/or screenshots
NA
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
GitLab Community Edition v16.10.6
Possible fixes
Change check permissions: current_user&.can_read_all_resources? from https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/api/users.rb#L136-138
Test corresponding is implementing only for admin: https://gitlab.com/gitlab-org/gitlab/-/blob/master/spec/requests/api/users_spec.rb#L649-676
Thanks
Edited by Louis Bourguignon