diff options
author | Lunny Xiao | 2019-10-24 14:01:40 +0800 |
---|---|---|
committer | Lauris BH | 2019-10-24 09:01:40 +0300 |
commit | 63c54f7e1f1132a6a96ea2f613e804d76d95f989 (patch) | |
tree | 67d3e70d915f026d98308e75365cbe38e087a28d | |
parent | f9845454cfb1a32f2be5e865c458fc8e4a41eb06 (diff) |
Hide some user information via API if user have no enough permission (#8655) (#8658)
* Hide some user information via API if user have no enough permission
* fix test
-rw-r--r-- | integrations/api_team_user_test.go | 1 | ||||
-rw-r--r-- | routers/api/v1/convert/convert.go | 8 |
2 files changed, 4 insertions, 5 deletions
diff --git a/integrations/api_team_user_test.go b/integrations/api_team_user_test.go index 70d52c136..4df4dac01 100644 --- a/integrations/api_team_user_test.go +++ b/integrations/api_team_user_test.go @@ -29,7 +29,6 @@ func TestAPITeamUser(t *testing.T) { var user2 *api.User DecodeJSON(t, resp, &user2) user2.Created = user2.Created.In(time.Local) - user2.LastLogin = user2.LastLogin.In(time.Local) user := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User) assert.Equal(t, convert.ToUser(user, true, false), user2) diff --git a/routers/api/v1/convert/convert.go b/routers/api/v1/convert/convert.go index d2691f823..5d62bf3b0 100644 --- a/routers/api/v1/convert/convert.go +++ b/routers/api/v1/convert/convert.go @@ -231,12 +231,9 @@ func ToTeam(team *models.Team) *api.Team { // ToUser convert models.User to api.User func ToUser(user *models.User, signed, authed bool) *api.User { result := &api.User{ - ID: user.ID, UserName: user.Name, AvatarURL: user.AvatarLink(), FullName: markup.Sanitize(user.FullName), - IsAdmin: user.IsAdmin, - LastLogin: user.LastLoginUnix.AsTime(), Created: user.CreatedUnix.AsTime(), } // hide primary email if API caller isn't user itself or an admin @@ -244,8 +241,11 @@ func ToUser(user *models.User, signed, authed bool) *api.User { result.Email = "" } else if user.KeepEmailPrivate && !authed { result.Email = user.GetEmail() - } else { + } else { // only user himself and admin could visit these information + result.ID = user.ID result.Email = user.Email + result.IsAdmin = user.IsAdmin + result.LastLogin = user.LastLoginUnix.AsTime() } return result } |