#1127: hide user e-mail when API caller isn't signed in

2 files changed, 6 insertions, 0 deletions

diff --git a/modules/middleware/auth.go b/modules/middleware/auth.go
index b2aaae101d..8f86b79177 100644
--- a/modules/middleware/auth.go
+++ b/modules/middleware/auth.go
@@ -69,6 +69,7 @@ func Toggle(options *ToggleOptions) macaron.Handler {
 	}
 }
 
+// Contexter middleware already checks token for user sign in process.
 func ApiReqToken() macaron.Handler {
 	return func(ctx *Context) {
 		if !ctx.IsSigned {
diff --git a/routers/api/v1/user.go b/routers/api/v1/user.go
index e9ba615fcb..a4648297b9 100644
--- a/routers/api/v1/user.go
+++ b/routers/api/v1/user.go
@@ -68,5 +68,10 @@ func GetUserInfo(ctx *middleware.Context) {
 		}
 		return
 	}
+
+	// Hide user e-mail when API caller isn't signed in.
+	if !ctx.IsSigned {
+		u.Email = ""
+	}
 	ctx.JSON(200, &api.User{u.Id, u.Name, u.FullName, u.Email, u.AvatarLink()})
 }