From c363d574814c4083bf83f32aaaa24e38562c139a Mon Sep 17 00:00:00 2001
From: Jan Bernitt <jaanbernitt@gmail.com>
Date: Tue, 7 Jan 2025 16:53:12 +0100
Subject: [PATCH 1/2] fix: user query parameter must include username
 [DHIS2-18748]

---
 .../dhis/webapi/controller/AbstractFullReadOnlyController.java | 3 ++-
 .../org/hisp/dhis/webapi/controller/user/UserController.java   | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyController.java b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyController.java
index 9d88e596e414..02edb0947e54 100644
--- a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyController.java
+++ b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyController.java
@@ -81,6 +81,7 @@
 import org.hisp.dhis.security.acl.AclService;
 import org.hisp.dhis.system.util.ReflectionUtils;
 import org.hisp.dhis.user.CurrentUser;
+import org.hisp.dhis.user.User;
 import org.hisp.dhis.user.UserDetails;
 import org.hisp.dhis.user.UserSettingsService;
 import org.hisp.dhis.webapi.mvc.annotation.ApiVersion;
@@ -242,7 +243,7 @@ protected List<UID> getPreQueryMatches(P params) throws ConflictException {
   @Nonnull
   protected List<Criterion> getAdditionalFilters(P params) throws ConflictException {
     List<Criterion> filters = new ArrayList<>();
-    if (params.getQuery() != null && !params.getQuery().isEmpty())
+    if (params.getQuery() != null && !params.getQuery().isEmpty() && getEntityClass() != User.class)
       filters.add(Restrictions.query(getSchema(), params.getQuery()));
     List<UID> matches = getPreQueryMatches(params);
     // Note: null = no special filters, empty = no matches for special filters
diff --git a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java
index 0c90bd0acc08..7b038d49aeb0 100644
--- a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java
+++ b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java
@@ -217,7 +217,8 @@ public static final class GetUserObjectListParams extends GetObjectListParams {
 
     @JsonIgnore
     boolean isUsingAnySpecialFilters() {
-      return phoneNumber != null
+      return getQuery() != null
+          || phoneNumber != null
           || canManage
           || authSubset
           || lastLogin != null

From c8fabba5de84333f0b34fe58bcabba26eae94588 Mon Sep 17 00:00:00 2001
From: Jan Bernitt <jaanbernitt@gmail.com>
Date: Thu, 9 Jan 2025 15:24:56 +0100
Subject: [PATCH 2/2] test: adds a controller test querying matching username

---
 .../AbstractFullReadOnlyControllerTest.java   | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyControllerTest.java b/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyControllerTest.java
index 0621b0724844..9d0087dc59bf 100644
--- a/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyControllerTest.java
+++ b/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/AbstractFullReadOnlyControllerTest.java
@@ -38,7 +38,10 @@
 import org.hisp.dhis.common.CodeGenerator;
 import org.hisp.dhis.dataelement.DataElement;
 import org.hisp.dhis.dataelement.DataElementService;
+import org.hisp.dhis.jsontree.JsonList;
 import org.hisp.dhis.test.webapi.H2ControllerIntegrationTestBase;
+import org.hisp.dhis.test.webapi.json.domain.JsonUser;
+import org.hisp.dhis.user.User;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.transaction.annotation.Transactional;
@@ -54,6 +57,25 @@ class AbstractFullReadOnlyControllerTest extends H2ControllerIntegrationTestBase
 
   @Autowired private DataElementService dataElementService;
 
+  @Test
+  void testGetObjectList_QueryUsers() {
+    // this just simulates the normal setup with a system super-user
+    User user = switchToNewUser("system", "ALL");
+    // make sure "system" does not occur in any other property that might be searched by query=
+    user.setName("x");
+    user.setFirstName("y");
+    user.setSurname("z");
+    user.setCode("xyz");
+    userService.updateUser(user);
+
+    JsonList<JsonUser> users =
+        GET("/users?fields=id,name,username&query=system")
+            .content()
+            .getList("users", JsonUser.class);
+    assertEquals(1, users.size());
+    assertEquals("system", users.get(0).getUsername());
+  }
+
   @Test
   void testGetObjectListCsv() {
     createDataElements(36);