]> source.dussan.org Git - gitea.git/commitdiff
Hide some user information via API if user have no enough permission (#8655)
authorLunny Xiao <xiaolunwen@gmail.com>
Thu, 24 Oct 2019 02:52:17 +0000 (10:52 +0800)
committerGitHub <noreply@github.com>
Thu, 24 Oct 2019 02:52:17 +0000 (10:52 +0800)
* Hide some user information via API if user have no enough permission

* fix test

integrations/api_team_user_test.go
routers/api/v1/convert/convert.go

index 70d52c13601d663292d58e2f26d13514f34d76cf..4df4dac016ad64ee070f0f7d8c4ed15f8e1b18a4 100644 (file)
@@ -29,7 +29,6 @@ func TestAPITeamUser(t *testing.T) {
        var user2 *api.User
        DecodeJSON(t, resp, &user2)
        user2.Created = user2.Created.In(time.Local)
-       user2.LastLogin = user2.LastLogin.In(time.Local)
        user := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)
 
        assert.Equal(t, convert.ToUser(user, true, false), user2)
index 02620513903e711bdb778f08eaf14b3bdc8ba597..07456f8dd687a59124dfc542c2a4fac2fdc85e55 100644 (file)
@@ -237,12 +237,9 @@ func ToTeam(team *models.Team) *api.Team {
 // ToUser convert models.User to api.User
 func ToUser(user *models.User, signed, authed bool) *api.User {
        result := &api.User{
-               ID:        user.ID,
                UserName:  user.Name,
                AvatarURL: user.AvatarLink(),
                FullName:  markup.Sanitize(user.FullName),
-               IsAdmin:   user.IsAdmin,
-               LastLogin: user.LastLoginUnix.AsTime(),
                Created:   user.CreatedUnix.AsTime(),
        }
        // hide primary email if API caller isn't user itself or an admin
@@ -250,8 +247,11 @@ func ToUser(user *models.User, signed, authed bool) *api.User {
                result.Email = ""
        } else if user.KeepEmailPrivate && !authed {
                result.Email = user.GetEmail()
-       } else {
+       } else { // only user himself and admin could visit these information
+               result.ID = user.ID
                result.Email = user.Email
+               result.IsAdmin = user.IsAdmin
+               result.LastLogin = user.LastLoginUnix.AsTime()
        }
        return result
 }