Page MenuHomePhorge
Create Task
Maniphest T15470

Include user email address in Conduit output when query is run by admin
Closed, WontfixPublic
Actions

Description

AFAIK, Conduit's user.whoami is the only method whose output currently includes the email address of a user.

As an admin, I'd like to be able to check compliance with an organization's guidelines, for example quickly check if a user who is affiliated with an organization uses their organization's email address in a Phorge installation that is used by folks with numerous affiliations. Currently I have to run SQL database queries to achieve that goal.

I have a working patch in P14 for user.query but that method is frozen. Would a patch be accepted for review?
So far I have not understood how to reach the same outcome in non-frozen user.search instead.

Related Objects

Event Timeline

aklapper created this task.Jun 13 2023, 13:33
Herald added subscribers: Cigaryno, Matthew, chris and 2 others. · View Herald TranscriptJun 13 2023, 13:33
valerio.bozzolan subscribed.Jun 16 2023, 13:01

On this I think it does more or less the same as MediaWiki: the sysop does not see the emails of participants, not even via API.

valerio.bozzolan triaged this task as Wishlist priority.Jun 16 2023, 13:02
aklapper added a comment.Jun 17 2023, 11:18

The sysop sees the email addresses of recipients already anyway by running an SQL query in the database if they operate the system anyway.
Running SQL queries is what I've been doing so far and it's cumbersome. Thus my request to allow this on an API level.
(I don't mind how MediaWiki behaves as that software covers different use cases.)

valerio.bozzolan added a comment.Jun 17 2023, 16:37

Yep indeed. I just mentioned MediaWiki to talk about a similar situation, where being a "sysop" does not necessarily mean being a sysadmin with CLI / root access.

As compromise, maybe introducing a role, such as "Blessed Administrator" / "Super Mega Administrator", perhaps assignable only from the command line, might be an interesting compromise that I could see being approved by someone. So, without changing the level of trust of the "Administrators".

valerio.bozzolan added a project: Discussion Needed.Jun 17 2023, 16:37
avivey subscribed.Jun 19 2023, 06:44

(I'm against this, but I don't have the time to go into details right now. I suggest a CLI tool (like ./bin/user) to expose this information).

valerio.bozzolan added a project: Conduit.Jun 19 2023, 07:28
aklapper closed this task as Wontfix.Jun 19 2023, 11:39
aklapper claimed this task.

Then let's decline this ticket to reflect the status.

aklapper removed aklapper as the assignee of this task.Jun 19 2023, 11:39
speck added a comment.Jun 19 2023, 22:56

I think updating the user script is a good idea if this functionality is needed.

avivey added a comment.Jun 24 2023, 09:04

For completeness, my arguments against this:

  • User's email is "private information" (PII), not to be exposed under normal conditions. There are a couple of places where a user's email is legitimately exposed (e.g. User Approval Queue), but those are rare.

    Adding a code path where PII is exposed to an approved user raises the risks of a bug exposing this information to un-approved users.
  • Admins are not expected to bypass permissions in the system; The range of things that's hard-coded to "admin" is small, and we want to narrow it more. The idea is to reduce the amount of code that handles permissions.
  • Adding a "super-admin" role goes against the goal of "reduce critical code paths".

    Traditionally, we've always considered the CLI access to be the "super admin". Running CLI scripts requires a very high level of access, which basically includes full access to everything (including the ability to change code and directly manipulate the database).

The underlaying use-case ("occasionally produce a list of all registered emails") sounds like something that can be satisfied by a CLI script (+ maybe configure auth.email-domains).

Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0