From b3ef0eb10b77476c774a1cf24380ff0e1a173ac5 Mon Sep 17 00:00:00 2001
From: swve <bdswve@gmail.com>
Date: Mon, 31 Mar 2025 15:32:45 +0200
Subject: [PATCH] feat: update rbac_check to allow 'read' action for anonymous
 users

---
 apps/api/src/services/users/users.py | 8 +++-----
 apps/web/services/users/users.ts     | 4 ++--
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/apps/api/src/services/users/users.py b/apps/api/src/services/users/users.py
index c4b2a420..c02b6a23 100644
--- a/apps/api/src/services/users/users.py
+++ b/apps/api/src/services/users/users.py
@@ -416,8 +416,7 @@ async def read_user_by_uuid(
             detail="User does not exist",
         )
 
-    # RBAC check
-    await rbac_check(request, current_user, "read", user.user_uuid, db_session)
+    
 
     user = UserRead.model_validate(user)
 
@@ -440,8 +439,7 @@ async def read_user_by_username(
             detail="User does not exist",
         )
 
-    # RBAC check
-    await rbac_check(request, current_user, "read", user.user_uuid, db_session)
+    
 
     user = UserRead.model_validate(user)
 
@@ -587,7 +585,7 @@ async def rbac_check(
     user_uuid: str,
     db_session: Session,
 ):
-    if action == "create":
+    if action == "create" or action == "read":
         if current_user.id == 0:  # if user is anonymous
             return True
         else:
diff --git a/apps/web/services/users/users.ts b/apps/web/services/users/users.ts
index 52cf3b77..ce55d75f 100644
--- a/apps/web/services/users/users.ts
+++ b/apps/web/services/users/users.ts
@@ -10,7 +10,7 @@ import {
 export async function getUser(user_id: string, access_token: string) {
   const result = await fetch(
     `${getAPIUrl()}users/id/${user_id}`,
-    RequestBodyWithAuthHeader('GET', null, null, access_token)
+    RequestBody('GET', null, null)
   )
   const res = await errorHandling(result)
   return res
@@ -19,7 +19,7 @@ export async function getUser(user_id: string, access_token: string) {
 export async function getUserByUsername(username: string, access_token: string) {
   const result = await fetch(
     `${getAPIUrl()}users/username/${username}`,
-    RequestBodyWithAuthHeader('GET', null, null, access_token)
+    RequestBody('GET', null, null)
   )
   const res = await errorHandling(result)
   return res