From 63c54f7e1f1132a6a96ea2f613e804d76d95f989 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 24 Oct 2019 14:01:40 +0800
Subject: Hide some user information via API if user have no enough permission
 (#8655) (#8658)

* Hide some user information via API if user have no enough permission

* fix test
---
 routers/api/v1/convert/convert.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'routers/api')

diff --git a/routers/api/v1/convert/convert.go b/routers/api/v1/convert/convert.go
index d2691f8238..5d62bf3b0d 100644
--- a/routers/api/v1/convert/convert.go
+++ b/routers/api/v1/convert/convert.go
@@ -231,12 +231,9 @@ func ToTeam(team *models.Team) *api.Team {
 // ToUser convert models.User to api.User
 func ToUser(user *models.User, signed, authed bool) *api.User {
 	result := &api.User{
-		ID:        user.ID,
 		UserName:  user.Name,
 		AvatarURL: user.AvatarLink(),
 		FullName:  markup.Sanitize(user.FullName),
-		IsAdmin:   user.IsAdmin,
-		LastLogin: user.LastLoginUnix.AsTime(),
 		Created:   user.CreatedUnix.AsTime(),
 	}
 	// hide primary email if API caller isn't user itself or an admin
@@ -244,8 +241,11 @@ func ToUser(user *models.User, signed, authed bool) *api.User {
 		result.Email = ""
 	} else if user.KeepEmailPrivate && !authed {
 		result.Email = user.GetEmail()
-	} else {
+	} else { // only user himself and admin could visit these information
+		result.ID = user.ID
 		result.Email = user.Email
+		result.IsAdmin = user.IsAdmin
+		result.LastLogin = user.LastLoginUnix.AsTime()
 	}
 	return result
 }
-- 
cgit v1.2.3