XF 2.3 API - user_group_id and secondary_user_group_ids not returned for all users

[Arith]

Hello, I'm attempting to build an application that makes use of the OAuth2 implementation and as part of that I'm fetching the user groups assigned to a user to determine permissions within the app, however some users do not seem to have these properties when calling /api/me. I can't really figure out why or what permission isn't set to return it. The docs aren't very clear about the permissions required.

I've tried to look at the user manually using an API Key and setting the XF-Api-User header to the specific user I'm checking, but that doesn't return it either.

What am I missing here? Thanks!

 

[Arith]

I added all scopes to my super api key (for testing) and it still doesn't return the user_group_id and secondary for all users. Is this a bug or a feature?

 

[Jeremy P]

Those details are considered internal and only exposed to administrators or when bypassing permissions.

 

[Arith]

Oh I see, I couldn't see that mentioned in the docs. Thanks for the reply. What do you mean when you say "or when bypassing permissions"?

Seems like I'm going to have to change my auth approach because I need to know the roles of the users when they log in.

 

[Arith]

I've managed to read the user group IDs with an API Key and the API user set to an admin, however this feels super hacky in an OAuth2 flow.

@Jeremy P Would you consider allowing these properties to be shown in the /api/me endpoint by default? I don't fully understand why they're considered internal when you can see what user group a user is in by looking at their postbit or profile.

 

[Jeremy P]

What do you mean when you say "or when bypassing permissions"?

Super user keys can bypass permission checks on a per-request basis, but I imagine that's not viable for your use case.

@Jeremy P Would you consider allowing these properties to be shown in the /api/me endpoint by default?

We could potentially introduce an additional scope for it, though I would caution that group membership is a bit tangential to the way permissions work in XF overall.

I don't fully understand why they're considered internal when you can see what user group a user is in by looking at their postbit or profile.

I don't believe that's universally true, though group membership can sometimes be exposed via group banners I suppose.

 

[cubdriver]

I am having a similar issue using a super user API key (xf 2.3), it will fetch the secondary user groups of the admin who created when queried, but not of an ordinary user. It will fetch all of the other information of the ordinary user.