Ignore account locked status for Scaffold API (#927)

Oscariremma · web-flow · commit 5c35778a9911 · 2024-11-12T20:19:54.000+01:00
diff --git a/app/src/main/java/it/chalmers/gamma/app/accountscaffold/AccountScaffoldFacade.java b/app/src/main/java/it/chalmers/gamma/app/accountscaffold/AccountScaffoldFacade.java
@@ -62,7 +62,6 @@ public List<AccountScaffoldSuperGroupDTO> getActiveSuperGroups() {
             group -> {
               List<AccountScaffoldUserPostDTO> activeGroupMember =
                   group.groupMembers().stream()
-                      .filter(groupMember -> !groupMember.user().extended().locked())
                       .filter(groupMember -> gdprTrained.contains(groupMember.user().id()))
                       .map(AccountScaffoldUserPostDTO::new)
                       .toList();
@@ -94,7 +93,7 @@ public List<AccountScaffoldSuperGroupDTO> getActiveSuperGroups() {
 
   /**
    * Returns the users that are active right now. Takes in a list of super group types to help
-   * determine what kinds of groups that are deemed active. User must also be not locked, and have
+   * determine what kinds of groups that are deemed active. User must have
    * participated in gdpr training.
    */
   public List<AccountScaffoldUserDTO> getActiveUsers() {
@@ -118,7 +117,6 @@ public List<AccountScaffoldUserDTO> getActiveUsers() {
         .flatMap(group -> group.groupMembers().stream())
         .map(GroupMember::user)
         .distinct()
-        .filter(user -> !user.extended().locked())
         .filter(groupMember -> gdprTrained.contains(groupMember.id()))
         .map(AccountScaffoldUserDTO::new)
         .toList();
diff --git a/app/src/main/java/it/chalmers/gamma/app/authentication/UserAccessGuard.java b/app/src/main/java/it/chalmers/gamma/app/authentication/UserAccessGuard.java
@@ -74,10 +74,11 @@ public boolean haveAccessToUser(UserId userId, boolean userLocked) {
 
     /*
      * If the user is locked then nothing should be returned
-     * unless if and only if the signed-in user is an admin.
+     * unless if and only if the signed-in user is an admin,
+     * or if we are using an API with extended access.
      */
     if (userLocked) {
-      return isAdmin();
+      return isAdmin() || isApiKeyWithExtendedAccess();
     }
 
     // If one user is trying to access another user, then approve
