From 97c8569a798075c50e93e585ac741ab55cb7c28b Mon Sep 17 00:00:00 2001 From: gasoved Date: Mon, 21 Jun 2021 19:58:31 +0300 Subject: [PATCH] fix: hide private user data in api/v3/users/[uid] --- src/controllers/write/users.js | 4 ++- src/user/data.js | 21 ++++++++++++++++ test/user.js | 46 +++++++++++++++++++++++----------- 3 files changed, 55 insertions(+), 16 deletions(-) diff --git a/src/controllers/write/users.js b/src/controllers/write/users.js index 8b7e483ba2..222d664032 100644 --- a/src/controllers/write/users.js +++ b/src/controllers/write/users.js @@ -44,7 +44,9 @@ Users.exists = async (req, res) => { }; Users.get = async (req, res) => { - helpers.formatApiResponse(200, res, await user.getUserData(req.params.uid)); + const userData = await user.getUserData(req.params.uid); + const publicUserData = await user.hidePrivateData(userData, req.uid); + helpers.formatApiResponse(200, res, publicUserData); }; Users.update = async (req, res) => { diff --git a/src/user/data.js b/src/user/data.js index 7b80bb1ee1..fe5b8dc19e 100644 --- a/src/user/data.js +++ b/src/user/data.js @@ -141,6 +141,27 @@ module.exports = function (User) { return await User.getUsersFields(uids, []); }; + User.hidePrivateData = async function (userData, callerUID) { + const _userData = { ...userData }; + + const isSelf = parseInt(callerUID, 10) === parseInt(_userData.uid, 10); + const [userSettings, isAdmin, isGlobalModerator] = await Promise.all([ + User.getSettings(_userData.uid), + User.isAdministrator(callerUID), + User.isGlobalModerator(callerUID), + ]); + const privilegedOrSelf = isAdmin || isGlobalModerator || isSelf; + + if (!privilegedOrSelf && (!userSettings.showemail || meta.config.hideEmail)) { + _userData.email = ''; + } + if (!privilegedOrSelf && (!userSettings.showfullname || meta.config.hideFullname)) { + _userData.fullname = ''; + } + + return _userData; + }; + async function modifyUserData(users, requestedFields, fieldsToRemove) { let uidToSettings = {}; if (meta.config.showFullnameAsDisplayName) { diff --git a/test/user.js b/test/user.js index 537b06bca1..6c6bf85a34 100644 --- a/test/user.js +++ b/test/user.js @@ -2509,32 +2509,48 @@ describe('User', () => { }); describe('hideEmail/hideFullname', () => { + const COMMON_PW = '123456'; let uid; + let jar; + let regularUserUid; + + before(async () => { + uid = await User.create({ + username: 'hiddenemail', + email: 'should@be.hidden', + fullname: 'baris soner usakli', + }); + regularUserUid = await User.create({ + username: 'regularUser', + password: COMMON_PW, + }); + jar = await new Promise((resolve, reject) => { + helpers.loginUser('regularUser', COMMON_PW, async (err, _jar) => { + if (err) { + reject(err); + } + resolve(_jar); + }); + }); + }); + after((done) => { meta.config.hideEmail = 0; meta.config.hideFullname = 0; done(); }); - it('should hide email and fullname', (done) => { + it('should hide email and fullname', async () => { meta.config.hideEmail = 1; meta.config.hideFullname = 1; - User.create({ - username: 'hiddenemail', - email: 'should@be.hidden', - fullname: 'baris soner usakli', - }, (err, _uid) => { - uid = _uid; - assert.ifError(err); - request(`${nconf.get('url')}/api/user/hiddenemail`, { json: true }, (err, res, body) => { - assert.ifError(err); - assert.equal(body.fullname, ''); - assert.equal(body.email, ''); + const userData1 = await requestAsync(`${nconf.get('url')}/api/user/hiddenemail`, { json: true }); + assert.strictEqual(userData1.fullname, ''); + assert.strictEqual(userData1.email, ''); - done(); - }); - }); + const { response } = await requestAsync(`${nconf.get('url')}/api/v3/users/${uid}`, { json: true, jar: jar }); + assert.strictEqual(response.fullname, ''); + assert.strictEqual(response.email, ''); }); it('should hide fullname in topic list and topic', (done) => {