`Group.get` API returning incomplete result sets - was: Incorrect setting of more_results in getlist API action reply with ACLs
The generic getlist
API action includes a more_results
parameter denoting whether there are more results in the corresponding get
API call, which is being determined by passing a limit of one higher than the search_autocomplete_count
setting (e.g. 10), then checking if there is one more result than that (11th) and setting more_results
to either 1
or 0
depending on that.
However, when using ACLs, this is not robust enough.
Steps to reproduce:
- Create more than 10 mailing list groups (i.e. more than the
search_autocomplete_count
setting) - Create an additional user/contact
- Use ACLs to grant that user access to one of the first 10 and one of the next 10 groups
- Being logged-in with that user, create a mailing
- Click on the "Recipients" autocomplete field to load the relevant mailing lists
- Note that only the first group the user has access to is being shown for selection, the second group (the one in the next 10 groups) is missing, and is also not being fetched in a second load.
This is due to getlist
calling get
internally, which does the ACL filtering, leaving getlist
with a reduced result set, in this case with only one result, since the user has access to only one of the first 10 mailing lists. However, there would have been a second result in the next 10 groups, but the more_results
calculation is not aware of that.
The more_results
calculation should be based on a getcount
API call, instead of assuming that the next result would be the 11th in the get
API call.