Fix what information is shown about user in API. (#9115)

* Fix what information is shown about user in API.

* Use Email directly, as KeepEmailPrivate is already handled.

diff --git a/modules/convert/convert.go b/modules/convert/convert.go
index d3b2e38165b95ce2d2deb6ba5ea4291c2de5a19c..0fa05d08508a32678d45e561d94188e44ae95451 100644 (file)
--- a/modules/convert/convert.go
+++ b/modules/convert/convert.go
@@ -256,6 +256,7 @@ func ToTeam(team *models.Team) *api.Team {
 }
 
 // ToUser convert models.User to api.User
+// signed shall only be set if requester is logged in. authed shall only be set if user is site admin or user himself
 func ToUser(user *models.User, signed, authed bool) *api.User {
        result := &api.User{
                UserName:  user.Name,
@@ -263,14 +264,13 @@ func ToUser(user *models.User, signed, authed bool) *api.User {
                FullName:  markup.Sanitize(user.FullName),
                Created:   user.CreatedUnix.AsTime(),
        }
-       // hide primary email if API caller isn't user itself or an admin
-       if !signed {
-               result.Email = ""
-       } else if user.KeepEmailPrivate && !authed {
-               result.Email = user.GetEmail()
-       } else { // only user himself and admin could visit these information
-               result.ID = user.ID
+       // hide primary email if API caller is anonymous or user keep email private
+       if signed && (!user.KeepEmailPrivate || authed) {
                result.Email = user.Email
+       }
+       // only site admin will get these information and possibly user himself
+       if authed {
+               result.ID = user.ID
                result.IsAdmin = user.IsAdmin
                result.LastLogin = user.LastLoginUnix.AsTime()
        }