Skip to content

feat(users): add GET /users endpoint for listing users #2432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
totopoloco wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat(users): add GET /users endpoint for listing users #2432

totopoloco wants to merge 3 commits into from

Conversation

@totopoloco
Copy link
Collaborator

@totopoloco totopoloco commented Dec 22, 2025

Description

This PR implements a new GET /users endpoint in the users controller that allows retrieving user information from the database.

Motivation

  • Admin users (members of ADMIN_GROUPS like admin, ingestor) can retrieve all users in the database
  • Regular authenticated users can only retrieve their own user information
  • Unauthenticated users are denied access

Implementation details

1. New CASL Actions (src/casl/action.enum.ts)

  • Added UserListAll - grants permission to list all users (admin only)
  • Added UserListOwn - grants permission to list own user info (all authenticated users)

2. CASL Ability Factory (src/casl/casl-ability.factory.ts)

  • Admin users (those in ADMIN_GROUPS) are granted UserListAll permission
  • All authenticated users are granted UserListOwn permission
  • Non-admin users are explicitly denied UserListAll

3. Users Service (src/users/users.service.ts)

  • Added findAll() method that retrieves all users from the database

4. Users Controller (src/users/users.controller.ts)

  • Added GET /users endpoint with proper guards and policy checks
  • Uses CASL to determine if user can see all users or only their own

Changes

Unit Tests Added

Controller Tests (src/users/users.controller.spec.ts)

  • Admin user returns all users
  • Regular user returns only their own info
  • Empty array when user not found in database
  • Proper calls to userEndpointAccess
  • DTO structure validation
  • Verifies findAll service is not called for non-admin users

Service Tests (src/users/users.service.spec.ts)

  • Returns array of users
  • Returns empty array when no users exist
  • Users have expected properties
  • Handles multiple auth strategies (local, oidc)
  • findById returns user or null appropriately

API Documentation

The endpoint is documented with Swagger decorators:

  • @ApiOperation with summary and description
  • @ApiResponse with status 200 and ReturnedUserDto[] type

Authorization Matrix

User Type Access Level
Unauthenticated Denied
Regular User Own info only
Admin User (ADMIN_GROUPS) All users

Tests included

  • Included for each change/fix?
  • Passing?

Documentation

  • Swagger documentation updated (required for API changes)
  • Official documentation updated

Official documentation info

N/A - No official documentation changes required for this PR.

@totopoloco totopoloco requested a review from a team as a code owner December 22, 2025 13:19
@totopoloco totopoloco requested a review from nitrosx December 22, 2025 13:19
@totopoloco totopoloco added enhancement New feature or request feature New feature labels Dec 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nitrosx nitrosx Awaiting requested review from nitrosx

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request feature New feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@totopoloco