fix: hide private user data in api/v3/users/[uid]

4 years ago · 97c8569a79
parent d9e2190a6b
commit 97c8569a79
3 changed files with 55 additions and 16 deletions
--- a/src/controllers/write/users.js
+++ b/src/controllers/write/users.js
@ -44,7 +44,9 @@ Users.exists = async (req, res) => {
 };
 Users.get = async (req, res) => {
-	helpers.formatApiResponse(200, res, await user.getUserData(req.params.uid));
+	const userData = await user.getUserData(req.params.uid);
 	const publicUserData = await user.hidePrivateData(userData, req.uid);
 	helpers.formatApiResponse(200, res, publicUserData);
 };
 Users.update = async (req, res) => {
--- a/src/user/data.js
+++ b/src/user/data.js
@ -141,6 +141,27 @@ module.exports = function (User) {
 		return await User.getUsersFields(uids, []);
 	};
 	User.hidePrivateData = async function (userData, callerUID) {
 		const _userData = { ...userData };
 		const isSelf = parseInt(callerUID, 10) === parseInt(_userData.uid, 10);
 		const [userSettings, isAdmin, isGlobalModerator] = await Promise.all([
 			User.getSettings(_userData.uid),
 			User.isAdministrator(callerUID),
 			User.isGlobalModerator(callerUID),
 		]);
 		const privilegedOrSelf = isAdmin || isGlobalModerator || isSelf;
 		if (!privilegedOrSelf && (!userSettings.showemail || meta.config.hideEmail)) {
 			_userData.email = '';
 		}
 		if (!privilegedOrSelf && (!userSettings.showfullname || meta.config.hideFullname)) {
 			_userData.fullname = '';
 		}
 		return _userData;
 	};
 	async function modifyUserData(users, requestedFields, fieldsToRemove) {
 		let uidToSettings = {};
 		if (meta.config.showFullnameAsDisplayName) {
--- a/test/user.js
+++ b/test/user.js
@ -2509,32 +2509,48 @@ describe('User', () => {
 	});
 	describe('hideEmail/hideFullname', () => {
 		const COMMON_PW = '123456';
 		let uid;
 		let jar;
 		let regularUserUid;
 		before(async () => {
 			uid = await User.create({
 				username: 'hiddenemail',
 				email: 'should@be.hidden',
 				fullname: 'baris soner usakli',
 			});
 			regularUserUid = await User.create({
 				username: 'regularUser',
 				password: COMMON_PW,
 			});
 			jar = await new Promise((resolve, reject) => {
 				helpers.loginUser('regularUser', COMMON_PW, async (err, _jar) => {
 					if (err) {
 						reject(err);
 					}
 					resolve(_jar);
 				});
 			});
 		});
 		after((done) => {
 			meta.config.hideEmail = 0;
 			meta.config.hideFullname = 0;
 			done();
 		});
-		it('should hide email and fullname', (done) => {
+		it('should hide email and fullname', async () => {
 			meta.config.hideEmail = 1;
 			meta.config.hideFullname = 1;
-			User.create({
+			const userData1 = await requestAsync(`${nconf.get('url')}/api/user/hiddenemail`, { json: true });
-				username: 'hiddenemail',
+			assert.strictEqual(userData1.fullname, '');
-				email: 'should@be.hidden',
+			assert.strictEqual(userData1.email, '');
 				fullname: 'baris soner usakli',
 			}, (err, _uid) => {
 				uid = _uid;
 				assert.ifError(err);
 				request(`${nconf.get('url')}/api/user/hiddenemail`, { json: true }, (err, res, body) => {
 					assert.ifError(err);
 					assert.equal(body.fullname, '');
 					assert.equal(body.email, '');
-					done();
+			const { response } = await requestAsync(`${nconf.get('url')}/api/v3/users/${uid}`, { json: true, jar: jar });
-				});
+			assert.strictEqual(response.fullname, '');
-			});
+			assert.strictEqual(response.email, '');
 		});
 		it('should hide fullname in topic list and topic', (done) => {