fix: acl issue

packages/nc-gui/components/project/AccessSettings.vue

@@ -92,28 +92,6 @@ const updateCollaborator = async (collab: any, roles: ProjectRoles) => {
   }
 }
 
-watchDebounced(
-  userSearchText,
-  async () => {
-    isSearching.value = true
-
-    totalCollaborators.value = 0
-    collaborators.value = []
-
-    try {
-      await loadCollaborators()
-    } catch (e: any) {
-      message.error(await extractSdkResponseErrorMsg(e))
-    } finally {
-      isSearching.value = false
-    }
-  },
-  {
-    debounce: 300,
-    maxWait: 600,
-  },
-)
-
 onMounted(async () => {
   isLoading.value = true
   try {
@@ -132,6 +110,10 @@ onMounted(async () => {
     isLoading.value = false
   }
 })
+
+const filteredCollaborators = computed(() =>
+  collaborators.value.filter((collab) => collab.email.toLowerCase().includes(userSearchText.value.toLowerCase())),
+)
 </script>
 
 <template>
@@ -153,7 +135,7 @@ onMounted(async () => {
       </div>
 
       <div
-        v-else-if="!collaborators?.length"
+        v-else-if="!filteredCollaborators?.length"
         class="nc-collaborators-list w-full h-full flex flex-col items-center justify-center mt-36"
       >
         <Empty description="$t('title.noMembersFound')" />
@@ -168,7 +150,7 @@ onMounted(async () => {
 
           <div class="flex flex-col nc-scrollbar-md">
             <div
-              v-for="(collab, i) of collaborators"
+              v-for="(collab, i) of filteredCollaborators"
               :key="i"
               class="user-row flex flex-row border-b-1 py-1 min-h-14 items-center"
             >

packages/nocodb/src/controllers/base-users.controller.ts

@@ -11,7 +11,7 @@ import {
   UseGuards,
 } from '@nestjs/common';
 import { Request } from 'express';
-import { ProjectUserReqType } from 'nocodb-sdk';
+import { ProjectRoles, ProjectUserReqType } from 'nocodb-sdk';
 import { GlobalGuard } from '~/guards/global/global.guard';
 import { BaseUsersService } from '~/services/base-users/base-users.service';
 import { NcError } from '~/helpers/catchError';
@@ -27,12 +27,19 @@ export class BaseUsersController {
     '/api/v1/db/meta/projects/:baseId/users',
     '/api/v2/meta/bases/:baseId/users',
   ])
-  @Acl('userList')
+  @Acl('baseUserList')
   async userList(@Param('baseId') baseId: string, @Req() req: Request) {
+    const baseRoles = Object.keys(req.user?.base_roles ?? {});
+    const mode =
+      baseRoles.includes(ProjectRoles.OWNER) ||
+      baseRoles.includes(ProjectRoles.CREATOR)
+        ? 'full'
+        : 'viewer';
+
     return {
       users: await this.baseUsersService.userList({
         baseId,
-        query: req.query,
+        mode,
       }),
     };
   }

packages/nocodb/src/models/BaseUser.ts

@@ -109,10 +109,10 @@ export default class BaseUser {
   public static async getUsersList(
     {
       base_id,
-      query,
+      mode = 'full',
     }: {
       base_id: string;
-      query?: string;
+      mode?: 'full' | 'viewer';
     },
     ncMeta = Noco.ncMeta,
   ): Promise<(Partial<User> & BaseUser)[]> {
@@ -126,17 +126,17 @@ export default class BaseUser {
           `${MetaTable.USERS}.id`,
           `${MetaTable.USERS}.email`,
           `${MetaTable.USERS}.display_name`,
+          ...(mode === 'full'
+            ? [
                 `${MetaTable.USERS}.invite_token`,
                 `${MetaTable.USERS}.roles as main_roles`,
                 `${MetaTable.USERS}.created_at as created_at`,
                 `${MetaTable.PROJECT_USERS}.base_id`,
                 `${MetaTable.PROJECT_USERS}.roles as roles`,
+              ]
+            : []),
         );
 
-      if (query) {
-        queryBuilder.where('email', 'like', `%${query.toLowerCase?.()}%`);
-      }
-
       queryBuilder.leftJoin(MetaTable.PROJECT_USERS, function () {
         this.on(
           `${MetaTable.PROJECT_USERS}.fk_user_id`,

packages/nocodb/src/services/base-users/base-users.service.ts

@@ -27,14 +27,13 @@ import { getProjectRolePower } from '~/utils/roleHelper';
 export class BaseUsersService {
   constructor(protected appHooksService: AppHooksService) {}
 
-  async userList(param: { baseId: string; query: any }) {
+  async userList(param: { baseId: string; mode?: 'full' | 'viewer' }) {
     const baseUsers = await BaseUser.getUsersList({
-      ...param.query,
       base_id: param.baseId,
+      mode: param.mode,
     });
 
     return new PagedResponseImpl(baseUsers, {
-      ...param.query,
       count: baseUsers.length,
     });
   }

packages/nocodb/src/utils/acl.ts

@@ -120,6 +120,7 @@ const permissionScopes = {
     'nestedDataList',
     'nestedDataLink',
     'nestedDataUnlink',
+    'baseUserList',
 
     // Base API Tokens
     'baseApiTokenList',
@@ -184,6 +185,7 @@ const rolePermissions:
       swaggerJson: true,
 
       nestedDataList: true,
+      baseUserList: true,
     },
   },
   [ProjectRoles.COMMENTER]: {