fix: Limit shopping list owners to current group (#3305)

* add route for getting group-only users

* add new api route to frontend

* update shopping list user getAll call

* tests

* fixed bad import

* replace UserOut with UserSummary

* fix params

mealie/routes/users/crud.py

@@ -11,7 +11,7 @@ from mealie.routes.users._helpers import assert_user_change_allowed
 from mealie.schema.response import ErrorResponse, SuccessResponse
 from mealie.schema.response.pagination import PaginationQuery
 from mealie.schema.user import ChangePassword, UserBase, UserIn, UserOut
-from mealie.schema.user.user import GroupInDB, UserPagination
+from mealie.schema.user.user import GroupInDB, UserPagination, UserSummary, UserSummaryPagination
 
 user_router = UserAPIRouter(prefix="/users", tags=["Users: CRUD"])
 admin_router = AdminAPIRouter(prefix="/users", tags=["Users: Admin CRUD"])
@@ -25,6 +25,8 @@ class AdminUserController(BaseAdminController):
 
     @admin_router.get("", response_model=UserPagination)
     def get_all(self, q: PaginationQuery = Depends(PaginationQuery)):
+        """Returns all users from all groups"""
+
         response = self.repos.users.page_all(
             pagination=q,
             override=UserOut,
@@ -56,6 +58,18 @@ class AdminUserController(BaseAdminController):
 
 @controller(user_router)
 class UserController(BaseUserController):
+    @user_router.get("/group-users", response_model=UserSummaryPagination)
+    def get_all_group_users(self, q: PaginationQuery = Depends(PaginationQuery)):
+        """Returns all users from the current group"""
+
+        response = self.repos.users.by_group(self.group_id).page_all(
+            pagination=q,
+            override=UserSummary,
+        )
+
+        response.set_pagination_guides(user_router.url_path_for("get_all_group_users"), q.model_dump())
+        return response
+
     @user_router.get("/self", response_model=UserOut)
     def get_logged_in_user(self):
         return self.user

mealie/schema/user/__init__.py

@@ -1,5 +1,5 @@
 # This file is auto-generated by gen_schema_exports.py
-from .auth import Token, TokenData, UnlockResults
+from .auth import CredentialsRequest, CredentialsRequestForm, OIDCRequest, Token, TokenData, UnlockResults
 from .registration import CreateUserRegistration
 from .user import (
     ChangePassword,
@@ -18,6 +18,7 @@ from .user import (
     UserIn,
     UserOut,
     UserPagination,
+    UserSummary,
 )
 from .user_passwords import (
     ForgotPassword,
@@ -30,6 +31,9 @@ from .user_passwords import (
 
 __all__ = [
     "CreateUserRegistration",
+    "CredentialsRequest",
+    "CredentialsRequestForm",
+    "OIDCRequest",
     "Token",
     "TokenData",
     "UnlockResults",
@@ -55,4 +59,5 @@ __all__ = [
     "UserIn",
     "UserOut",
     "UserPagination",
+    "UserSummary",
 ]

mealie/schema/user/user.py

@@ -139,10 +139,20 @@ class UserOut(UserBase):
         return slugs
 
 
+class UserSummary(MealieModel):
+    id: UUID4
+    full_name: str
+    model_config = ConfigDict(from_attributes=True)
+
+
 class UserPagination(PaginationBase):
     items: list[UserOut]
 
 
+class UserSummaryPagination(PaginationBase):
+    items: list[UserSummary]
+
+
 class UserFavorites(UserBase):
     favorite_recipes: list[RecipeSummary] = []  # type: ignore
     model_config = ConfigDict(from_attributes=True)