feat: update rbac_check to allow 'read' action for anonymous users

2025-12-19 04:19:25 +00:00 · 2025-03-31 15:32:45 +02:00 · 2025-03-31 15:32:45 +02:00 · b3ef0eb10b
commit b3ef0eb10b
parent 3b5c4f9d92
2 changed files with 5 additions and 7 deletions
--- a/apps/api/src/services/users/users.py
+++ b/apps/api/src/services/users/users.py
@ -416,8 +416,7 @@ async def read_user_by_uuid(
            detail="User does not exist",
        )
-    # RBAC check
+    
    await rbac_check(request, current_user, "read", user.user_uuid, db_session)
    user = UserRead.model_validate(user)
@ -440,8 +439,7 @@ async def read_user_by_username(
            detail="User does not exist",
        )
-    # RBAC check
+    
    await rbac_check(request, current_user, "read", user.user_uuid, db_session)
    user = UserRead.model_validate(user)
@ -587,7 +585,7 @@ async def rbac_check(
    user_uuid: str,
    db_session: Session,
 ):
-    if action == "create":
+    if action == "create" or action == "read":
        if current_user.id == 0:  # if user is anonymous
            return True
        else:
--- a/apps/web/services/users/users.ts
+++ b/apps/web/services/users/users.ts
@ -10,7 +10,7 @@ import {
 export async function getUser(user_id: string, access_token: string) {
  const result = await fetch(
    `${getAPIUrl()}users/id/${user_id}`,
-    RequestBodyWithAuthHeader('GET', null, null, access_token)
+    RequestBody('GET', null, null)
  )
  const res = await errorHandling(result)
  return res
@ -19,7 +19,7 @@ export async function getUser(user_id: string, access_token: string) {
 export async function getUserByUsername(username: string, access_token: string) {
  const result = await fetch(
    `${getAPIUrl()}users/username/${username}`,
-    RequestBodyWithAuthHeader('GET', null, null, access_token)
+    RequestBody('GET', null, null)
  )
  const res = await errorHandling(result)
  return res