User search vulnerability #183
Conversation
There was a problem hiding this comment.
The web app is still sending the old search parameters to the new endpoint. This means the search does not correctly filter the results, returns too many items per page, and the summary of Active, Inactive, and Disabled users just shows the total number of users for each category. I believe the default page size on the old endpoint, or the parameter the web app specified, was 10. The new search endpoint's default page size is 250, so now the pages in the admin UI are showing too many users.
There was a problem hiding this comment.
There just a few things to cleanup. We can revert UserReadService to its original state, and we shouldn't need to inject that into any of the components any more since UserService is using the new /api/next-users/search endpoint. Also, let's generally remove the debug console logging.
There was a problem hiding this comment.
After testing, I believe there is just one small issue remaining to resolve. We need to reset the page index of the search request when the search term changes. The following steps demonstrate the discrepant behavior.
- Go to the Users admin tab.
- Click the Next button to advance to the second page.
- Type a search term in the input that produces only one page matching user results. The app displays no results because the page index still points to the second page even though there is only one page of results matching the search term.
This behavior can mislead the user into thinking there are no results for the search, when in fact there could be one or more matching results on the first page. The easy fix is to reset the page index whenever the search term changes.
…ionality in order to deprecate
…based on input values.
restjohn
force-pushed
the
user-search-vulnerability
branch
from
cc040ef to
70eca32
Compare
No description provided.