aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLunny Xiao2019-10-24 14:01:40 +0800
committerLauris BH2019-10-24 09:01:40 +0300
commit63c54f7e1f1132a6a96ea2f613e804d76d95f989 (patch)
tree67d3e70d915f026d98308e75365cbe38e087a28d
parentf9845454cfb1a32f2be5e865c458fc8e4a41eb06 (diff)
Hide some user information via API if user have no enough permission (#8655) (#8658)
* Hide some user information via API if user have no enough permission * fix test
-rw-r--r--integrations/api_team_user_test.go1
-rw-r--r--routers/api/v1/convert/convert.go8
2 files changed, 4 insertions, 5 deletions
diff --git a/integrations/api_team_user_test.go b/integrations/api_team_user_test.go
index 70d52c136..4df4dac01 100644
--- a/integrations/api_team_user_test.go
+++ b/integrations/api_team_user_test.go
@@ -29,7 +29,6 @@ func TestAPITeamUser(t *testing.T) {
var user2 *api.User
DecodeJSON(t, resp, &user2)
user2.Created = user2.Created.In(time.Local)
- user2.LastLogin = user2.LastLogin.In(time.Local)
user := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)
assert.Equal(t, convert.ToUser(user, true, false), user2)
diff --git a/routers/api/v1/convert/convert.go b/routers/api/v1/convert/convert.go
index d2691f823..5d62bf3b0 100644
--- a/routers/api/v1/convert/convert.go
+++ b/routers/api/v1/convert/convert.go
@@ -231,12 +231,9 @@ func ToTeam(team *models.Team) *api.Team {
// ToUser convert models.User to api.User
func ToUser(user *models.User, signed, authed bool) *api.User {
result := &api.User{
- ID: user.ID,
UserName: user.Name,
AvatarURL: user.AvatarLink(),
FullName: markup.Sanitize(user.FullName),
- IsAdmin: user.IsAdmin,
- LastLogin: user.LastLoginUnix.AsTime(),
Created: user.CreatedUnix.AsTime(),
}
// hide primary email if API caller isn't user itself or an admin
@@ -244,8 +241,11 @@ func ToUser(user *models.User, signed, authed bool) *api.User {
result.Email = ""
} else if user.KeepEmailPrivate && !authed {
result.Email = user.GetEmail()
- } else {
+ } else { // only user himself and admin could visit these information
+ result.ID = user.ID
result.Email = user.Email
+ result.IsAdmin = user.IsAdmin
+ result.LastLogin = user.LastLoginUnix.AsTime()
}
return result
}