Require 'Modify Account' to access another user's secondary emails
Only the preferred email should be readily available to other users.
Secondary emails should only be accessible to the user that owns the
account or to users that have the 'Modify Account' capability. We choose
to check on the 'Modify Account' capability because the intention of
this change is to hide secondary emails from normal users and 'Modify
Account' is a capability that is almost certainly only assigned to
administrator users (as opposed to e.g. the 'View All Accounts'
capability which may also be granted to normal users to see all
accounts but not all account data). Also when you edit an account you
must be able to see its full data. Admittedly the 'Modify Account'
capability is not a perfect match for this and it would be nicer to have
a new 'View Secondary Emails' capability for this. For now we refrain
from adding yet another capability while we have no specific use case
for it but follow-up changes can add it if needed.
So far secondary emails of other users could be accessed in various
ways:
* GetEmails REST endpoint
* QueryAccounts REST endpoint with the ALL_EMAILS options
* QueryAccounts REST endpoint with the suggest option
The GetEmails REST endpoint is now only supported if the calling user
owns the account or if the calling user has the 'Modify Account'
capability.
Using the ALL_EMAILS option on the QueryAccounts REST endpoint also
requires the 'Modify Account' capability now.
The QueryAccounts REST endpoint with the suggest option is changed to
only include secondary emails if the calling user has the 'Modify
Account' capability.
Also the GetExternalIds REST endpoint includes secondary emails in its
response. However this REST endpoint already requires that the calling
user owns the account or has the 'Access Database' capability. Hence
already now normal users can't use this REST endpoint to get access of
the secondary emails of other accounts.
To hide secondary emails we must also disable querying accounts by
secondary email. Otherwise one could search with 'email:foo.com' to find
all accounts that have a '*@foo.com' email address.
The following index fields contain the secondary emails (or parts of
them):
* EMAIL
* NAME_PART
* EXTERNAL_ID
The EMAIL field is used for queries with the 'email' operator. With this
change the EMAIL field is now only used if the calling user has the
'Modify Account' capability. If the calling user doesn't have this
capability we now use the PREFERRED_EMAIL field instead.
The NAME_PART field is used for default queries and queries with the
'name' operator. With this change the NAME_PART field is now only used
if the calling user has the 'Modify Account' capability. For users that
don't have this capability a new NAME_PART_NO_SECONDARY_EMAIL field was
added that does not contain name parts of secondary emails and that then
can be used instead of the NAME_PART field (see predecessor change).
However this means that prefix searches by name parts are not working
while a search index version is used that doesn't include the new
NAME_PART_NO_SECONDARY_EMAIL field yet (e.g. while online reindexing
hasn't finsished yet). This does affects reviewer suggestion, but
shouldn't be a big issue since online reindexing for accounts is
expected to be fast.
The EXTERNAL_ID field is only used internally and there is no query
operator that maps to it.
Disabling querying by secondary email for users without the 'Modify
Account' capability means that these users can't get reviewers suggested
by secondary email anymore.
Change-Id: Icf3108d45fb1a7c5f6965c28c4ddc2bfbfedb38a
Signed-off-by: Edwin Kempin <ekempin@google.com>
diff --git a/Documentation/rest-api-accounts.txt b/Documentation/rest-api-accounts.txt
index 8dc3b9d..5912d1f 100644
--- a/Documentation/rest-api-accounts.txt
+++ b/Documentation/rest-api-accounts.txt
@@ -63,7 +63,9 @@
[[all-emails]]
--
-* `ALL_EMAILS`: Includes all registered emails.
+* `ALL_EMAILS`: Includes all registered emails. Requires the caller
+to have the link:access-control.html#capability_modifyAccount[Modify
+Account] global capability.
--
[[suggest-account]]
@@ -79,6 +81,10 @@
GET /accounts/?suggest&q=John HTTP/1.0
----
+Secondary emails are only included if the calling user has the
+link:access-control.html#capability_modifyAccount[Modify Account]
+capability.
+
.Response
----
HTTP/1.1 200 OK
@@ -2159,7 +2165,10 @@
|`secondary_emails`|optional|
A list of the secondary email addresses of the user. +
Only set for account queries when the link:#all-emails[ALL_EMAILS]
-option is set.
+option or the link:#suggest-account[suggest] parameter is set. +
+Secondary emails are only included if the calling user has the
+link:access-control.html#capability_modifyAccount[Modify Account], and
+hence is allowed to see secondary emails of other users.
|`username` |optional|The username of the user. +
Only set if detailed account information is requested. +
See option link:rest-api-changes.html#detailed-accounts[
