The admin member listing service includes a TODO to ensure the requester is an admin. Implement authentication and authorisation for GET /v1/communities/:communityId/members so member data is not exposed publicly.
Suggested tasks
- Define the authentication mechanism for admin API access
- Check that the requester has an active admin role for the community
- Return
401 for unauthenticated requests
- Return
403 for authenticated users without admin access
- Add tests for admin, non-admin, and unauthenticated access
- Document the required headers or auth flow
Acceptance criteria
- Community member listing requires admin access
- Non-admin users cannot list community members
- Authentication and authorisation failures return clear responses
- Tests cover allowed and denied cases
The admin member listing service includes a TODO to ensure the requester is an admin. Implement authentication and authorisation for
GET /v1/communities/:communityId/membersso member data is not exposed publicly.Suggested tasks
401for unauthenticated requests403for authenticated users without admin accessAcceptance criteria