Get challenges which particular user has access to by admin/m2m

[maxceem]

We have endpoint GET /v5/challenges which returns the list of the challenges. Some challenges are private and would be only returned to the users who belong to particular groups.

• At the moment this endpoint decides which challenges to return based on the user who called this endpoint.

• We would like to be able to get a list of the challenges by admin/m2m token as another sees it like this:

  GET /v5/challenges?viewAsUserId=123456
  

  or

  GET /v5/challenges?canViewUserId=123456
  

Reasons

• We are working on performance testing for Challenge API and for Recommender API. For this purpose we have to get the list of the challenges using various users. At the moment the only way to do so is to provide credentials of such users and login on behalf of these users. This is extremely insecure, especially on production. If we could request the list of the challenges on behalf of another user using M2M we could test performance without introducing security risks.
• Lakshmi mentioned, that Topcoder Support has a need to see a list of the challenges as another user sees it to localize the issues.
• We are also working on the Challenge Recommender API, which recommends challenges based on particular user history. It would be essential for testing, issues debugging and performance testing to be able to get the recommendations for a particular user. For this purpose, Recommender API should be able to get the list of the challenge as some user can see it from Challenge API using m2m token.

I also believe that this feature is not only a solution for particular problems listed above but it also a generally reasonable feature for Challenge API. In other words, such an endpoint would answer the question: what challenges a particular user has access to. I think many Topcoder services might need an answer to such a question and this feature would be also useful for other tasks.

Security

• There are no security risks, as admins and m2m can already see all the challenges. So this feature would only filter the list of challenges returned but not extend it.

Technical Complexity

• It should very easy to implement this filter. Basically, instead of getting groups of the user using authenticated user's id, we would have to use viewAsUserId / canViewUserId from the query https://github.com/topcoder-platform/challenge-api/blob/develop/src/services/ChallengeService.js#L400

cc @ThomasKranitsas @rootelement @mtwomey @lakshmiathreya @codejamtc @RishiRajSahu

[rootelement]

I'm mobile at the minute, but I believe you can filter by memberId as an m2m or admin. Please check.

[maxceem]

Thanks for replying @rootelement, it's similar but we have a bit different request.

memberId means my challenges i. e. challenges where the member is registered as submitter/reviewer or challenge which member is running as copoilot/observer/manager.

But what we would like to have is to be able to get all the challenges which user can see, even if user is not participating in that challenge. I. e. we would like to get All Challenges tab on behalf of any user: