diff --git a/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyControllerTest.java b/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyControllerTest.java index 0621b072484..9d0087dc59b 100644 --- a/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyControllerTest.java +++ b/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyControllerTest.java @@ -38,7 +38,10 @@ import org.hisp.dhis.common.CodeGenerator; import org.hisp.dhis.dataelement.DataElement; import org.hisp.dhis.dataelement.DataElementService; +import org.hisp.dhis.jsontree.JsonList; import org.hisp.dhis.test.webapi.H2ControllerIntegrationTestBase; +import org.hisp.dhis.test.webapi.json.domain.JsonUser; +import org.hisp.dhis.user.User; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.transaction.annotation.Transactional; @@ -54,6 +57,25 @@ class AbstractFullReadOnlyControllerTest extends H2ControllerIntegrationTestBase @Autowired private DataElementService dataElementService; + @Test + void testGetObjectList_QueryUsers() { + // this just simulates the normal setup with a system super-user + User user = switchToNewUser("system", "ALL"); + // make sure "system" does not occur in any other property that might be searched by query= + user.setName("x"); + user.setFirstName("y"); + user.setSurname("z"); + user.setCode("xyz"); + userService.updateUser(user); + + JsonList users = + GET("/users?fields=id,name,username&query=system") + .content() + .getList("users", JsonUser.class); + assertEquals(1, users.size()); + assertEquals("system", users.get(0).getUsername()); + } + @Test void testGetObjectListCsv() { createDataElements(36); diff --git a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyController.java b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyController.java index 9d88e596e41..02edb0947e5 100644 --- a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyController.java +++ b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyController.java @@ -81,6 +81,7 @@ import org.hisp.dhis.security.acl.AclService; import org.hisp.dhis.system.util.ReflectionUtils; import org.hisp.dhis.user.CurrentUser; +import org.hisp.dhis.user.User; import org.hisp.dhis.user.UserDetails; import org.hisp.dhis.user.UserSettingsService; import org.hisp.dhis.webapi.mvc.annotation.ApiVersion; @@ -242,7 +243,7 @@ protected List getPreQueryMatches(P params) throws ConflictException { @Nonnull protected List getAdditionalFilters(P params) throws ConflictException { List filters = new ArrayList<>(); - if (params.getQuery() != null && !params.getQuery().isEmpty()) + if (params.getQuery() != null && !params.getQuery().isEmpty() && getEntityClass() != User.class) filters.add(Restrictions.query(getSchema(), params.getQuery())); List matches = getPreQueryMatches(params); // Note: null = no special filters, empty = no matches for special filters diff --git a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java index 0c90bd0acc0..7b038d49aeb 100644 --- a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java +++ b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java @@ -217,7 +217,8 @@ public static final class GetUserObjectListParams extends GetObjectListParams { @JsonIgnore boolean isUsingAnySpecialFilters() { - return phoneNumber != null + return getQuery() != null + || phoneNumber != null || canManage || authSubset || lastLogin != null