Allow a user to see membership details of another user on sites where they have 'view.roster' permission
GENERAL
TESTING
GENERAL
TESTING
Description
A user can visit a site and if they have 'view.roster' permission, they can check whether User X is a member however, they cannot make an entity broker call to /direct/memberships and do the same thing.
That is to say, a call like /direct/membership.json?userId=251734fc-7107-4f34-80e4-6093e4ee9afa always returns a 403 forbidden for a non 'admin' user.
It should return a list of sites (membership_collection) that User X belongs to where the current user has view.roster (I think) access, or an empty membership_collection.
This only works for the admin user at the moment, who can see all memberships
Is it fair to say that this change regressed previous behavior where a student's call to /direct/memberships would at least show their own (Student role) memberships? It seems like the requirement for view.roster permissions means a student can no longer view their own sites.
A user can visit a site and if they have 'view.roster' permission, they can check whether User X is a member however, they cannot make an entity broker call to /direct/memberships and do the same thing.
That is to say, a call like /direct/membership.json?userId=251734fc-7107-4f34-80e4-6093e4ee9afa always returns a 403 forbidden for a non 'admin' user.
It should return a list of sites (membership_collection) that User X belongs to where the current user has view.roster (I think) access, or an empty membership_collection.
This only works for the admin user at the moment, who can see all memberships