diff options
author | JakobDev <jakobdev@gmx.de> | 2023-07-31 03:18:38 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-07-31 01:18:38 +0000 |
commit | ea385f5d39a286ec36f3735fc7c5211b141f6165 (patch) | |
tree | 2c4ec81c6249cb2b2e53065635158c27ad3fa8be /tests | |
parent | 7dc2e501134c86b3b6ab213779b19e801fd2bbbf (diff) | |
download | gitea-ea385f5d39a286ec36f3735fc7c5211b141f6165.tar.gz gitea-ea385f5d39a286ec36f3735fc7c5211b141f6165.zip |
Fix API leaking Usermail if not logged in (#25097)
The API should only return the real Mail of a User, if the caller is
logged in. The check do to this don't work. This PR fixes this. This not
really a security issue, but can lead to Spam.
---------
Co-authored-by: silverwind <me@silverwind.io>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/integration/api_user_info_test.go | 16 | ||||
-rw-r--r-- | tests/integration/api_user_search_test.go | 8 |
2 files changed, 17 insertions, 7 deletions
diff --git a/tests/integration/api_user_info_test.go b/tests/integration/api_user_info_test.go index 82cd97e904..f4edfd8941 100644 --- a/tests/integration/api_user_info_test.go +++ b/tests/integration/api_user_info_test.go @@ -9,6 +9,8 @@ import ( "testing" auth_model "code.gitea.io/gitea/models/auth" + "code.gitea.io/gitea/models/unittest" + user_model "code.gitea.io/gitea/models/user" api "code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/tests" @@ -21,6 +23,8 @@ func TestAPIUserInfo(t *testing.T) { user := "user1" user2 := "user31" + user3 := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user3"}) + session := loginUser(t, user) token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser) @@ -36,6 +40,18 @@ func TestAPIUserInfo(t *testing.T) { req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s", user2)) MakeRequest(t, req, http.StatusNotFound) + + // test if the placaholder Mail is returned if a User is not logged in + req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s", user3.Name)) + resp = MakeRequest(t, req, http.StatusOK) + DecodeJSON(t, resp, &u) + assert.Equal(t, user3.GetPlaceholderEmail(), u.Email) + + // Test if the correct Mail is returned if a User is logged in + req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s?token=%s", user3.Name, token)) + resp = MakeRequest(t, req, http.StatusOK) + DecodeJSON(t, resp, &u) + assert.Equal(t, user3.GetEmail(), u.Email) }) t.Run("GetAuthenticatedUser", func(t *testing.T) { diff --git a/tests/integration/api_user_search_test.go b/tests/integration/api_user_search_test.go index be14d5a6b2..c5b202b319 100644 --- a/tests/integration/api_user_search_test.go +++ b/tests/integration/api_user_search_test.go @@ -4,14 +4,12 @@ package integration import ( - "fmt" "net/http" "testing" auth_model "code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/models/unittest" user_model "code.gitea.io/gitea/models/user" - "code.gitea.io/gitea/modules/setting" api "code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/tests" @@ -54,11 +52,7 @@ func TestAPIUserSearchNotLoggedIn(t *testing.T) { for _, user := range results.Data { assert.Contains(t, user.UserName, query) modelUser = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: user.ID}) - if modelUser.KeepEmailPrivate { - assert.EqualValues(t, fmt.Sprintf("%s@%s", modelUser.LowerName, setting.Service.NoReplyAddress), user.Email) - } else { - assert.EqualValues(t, modelUser.Email, user.Email) - } + assert.EqualValues(t, modelUser.GetPlaceholderEmail(), user.Email) } } |