fix: Limit shopping list owners to current group (#3305)

* add route for getting group-only users

* add new api route to frontend

* update shopping list user getAll call

* tests

* fixed bad import

* replace UserOut with UserSummary

* fix params

mealie/routes/users/crud.py

@@ -11,7 +11,7 @@ from mealie.routes.users._helpers import assert_user_change_allowed
 from mealie.schema.response import ErrorResponse, SuccessResponse
 from mealie.schema.response.pagination import PaginationQuery
 from mealie.schema.user import ChangePassword, UserBase, UserIn, UserOut
-from mealie.schema.user.user import GroupInDB, UserPagination
+from mealie.schema.user.user import GroupInDB, UserPagination, UserSummary, UserSummaryPagination
 
 user_router = UserAPIRouter(prefix="/users", tags=["Users: CRUD"])
 admin_router = AdminAPIRouter(prefix="/users", tags=["Users: Admin CRUD"])
@@ -25,6 +25,8 @@ class AdminUserController(BaseAdminController):
 
     @admin_router.get("", response_model=UserPagination)
     def get_all(self, q: PaginationQuery = Depends(PaginationQuery)):
+        """Returns all users from all groups"""
+
         response = self.repos.users.page_all(
             pagination=q,
             override=UserOut,
@@ -56,6 +58,18 @@ class AdminUserController(BaseAdminController):
 
 @controller(user_router)
 class UserController(BaseUserController):
+    @user_router.get("/group-users", response_model=UserSummaryPagination)
+    def get_all_group_users(self, q: PaginationQuery = Depends(PaginationQuery)):
+        """Returns all users from the current group"""
+
+        response = self.repos.users.by_group(self.group_id).page_all(
+            pagination=q,
+            override=UserSummary,
+        )
+
+        response.set_pagination_guides(user_router.url_path_for("get_all_group_users"), q.model_dump())
+        return response
+
     @user_router.get("/self", response_model=UserOut)
     def get_logged_in_user(self):
         return self.user