Incorrect setting of more_results in getlist API action reply with ACLs
getlist API action includes a
more_results parameter denoting whether there are more results in the corresponding
get API call, which is being determined by passing a limit of one higher than the
search_autocomplete_count setting (e.g. 10), then checking if there is one more result than that (11th) and setting
more_results to either
0 depending on that.
However, when using ACLs, this is not robust enough.
Steps to reproduce:
- Create more than 10 mailing list groups (i.e. more than the
- Create an additional user/contact
- Use ACLs to grant that user access to one of the first 10 and one of the next 10 groups
- Being logged-in with that user, create a mailing
- Click on the "Recipients" autocomplete field to load the relevant mailing lists
- Note that only the first group the user has access to is being shown for selection, the second group (the one in the next 10 groups) is missing, and is also not being fetched in a second load.
This is due to
get internally, which does the ACL filtering, leaving
getlist with a reduced result set, in this case with only one result, since the user has access to only one of the first 10 mailing lists. However, there would have been a second result in the next 10 groups, but the
more_results calculation is not aware of that.
more_results calculation should be based on a
getcount API call, instead of assuming that the next result would be the 11th in the
get API call.