Users visibility permissions

Question

Users visibility permissions

ds2268 opened this issue 3 years ago · 2 comments

Any user can see all the users in the "users" section. Can we somehow limit this already now? Users might use full names and might not be desirable to be seen by other users, especially if there are multiple collections, for each institution separately, but users from both collections can still see all the registered users on the platform. This should be limited to admin only, or to see users that are part of the collections that you are also in...

Answer 1 · 2024-01-24T16:18:00.000Z

I would also like to disable all users being able to see the users section. I agree that this should be limited to admin only.

Answer 2 · 2024-01-24T17:26:44.000Z

Internally, users are access controlled models, so this would be a matter of setting all users to public=False. I don't think there is a web api to do this for users, so this would be running for user in User().find(): User().setPublic(user, False, save=True) in python and hooking to the user creation event to ensure new users are so flagged.

It wouldn't be a hard feature to add to a plugin.