From 8aacc8f89cf7dcf6295831dbe0aed4b15aa793cd Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Mon, 21 Aug 2023 15:26:22 -0400 Subject: [PATCH 1/2] fix: #11906, remove retrieval of SSO data in getAllData internal method, only retrieve for calling user or admins, and only on edit page --- src/controllers/accounts/edit.js | 8 +++++++- src/controllers/accounts/helpers.js | 11 ----------- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/src/controllers/accounts/edit.js b/src/controllers/accounts/edit.js index 84763a6e71..9b6526ad80 100644 --- a/src/controllers/accounts/edit.js +++ b/src/controllers/accounts/edit.js @@ -5,6 +5,7 @@ const meta = require('../../meta'); const helpers = require('../helpers'); const groups = require('../../groups'); const privileges = require('../../privileges'); +const plugins = require('../../plugins'); const accountHelpers = require('./helpers'); const file = require('../../file'); @@ -19,9 +20,10 @@ editController.get = async function (req, res) { groups: _groups, groupTitleArray, allowMultipleBadges, - }, canUseSignature] = await Promise.all([ + }, canUseSignature, canManageUsers] = await Promise.all([ accountHelpers.getUserDataByUserSlug(req.params.userslug, req.uid, req.query), privileges.global.can('signature', req.uid), + privileges.admin.can('admin:users', req.uid), ]); const payload = {}; @@ -38,6 +40,10 @@ editController.get = async function (req, res) { payload.groups = _groups.filter(g => g && g.userTitleEnabled && !groups.isPrivilegeGroup(g.name) && g.name !== 'registered-users'); + if (req.uid === res.locals.uid || canManageUsers) { + payload.sso = await plugins.hooks.fire('filter:auth.list', { uid: res.locals.uid, associations: [] }); + } + if (!allowMultipleBadges) { payload.groupTitle = groupTitleArray[0]; } diff --git a/src/controllers/accounts/helpers.js b/src/controllers/accounts/helpers.js index 4ac8042eba..592d3011db 100644 --- a/src/controllers/accounts/helpers.js +++ b/src/controllers/accounts/helpers.js @@ -104,16 +104,6 @@ helpers.getUserDataByUserSlug = async function (userslug, callerUID, query = {}) canViewInfo: canViewInfo, }); - userData.sso = results.sso.associations.map((association) => { - if (!isSelf) { - delete association.deauthUrl; - if (!association.associated) { - delete association.url; - } - } - - return association; - }); userData.banned = Boolean(userData.banned); userData.muted = parseInt(userData.mutedUntil, 10) > Date.now(); userData.website = escape(userData.website); @@ -162,7 +152,6 @@ async function getAllData(uid, callerUID) { ips: user.getIPs(uid, 4), profile_menu: getProfileMenu(uid, callerUID), groups: groups.getUserGroups([uid]), - sso: plugins.hooks.fire('filter:auth.list', { uid: uid, associations: [] }), canEdit: privileges.users.canEdit(callerUID, uid), canBanUser: privileges.users.canBanUser(callerUID, uid), canMuteUser: privileges.users.canMuteUser(callerUID, uid), From df65c60081e515f23c5e8e470559b3e2d6198b57 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Mon, 21 Aug 2023 15:38:41 -0400 Subject: [PATCH 2/2] fix: improper SSO format (regression), update openapi schema --- public/openapi/components/schemas/UserObject.yaml | 15 --------------- public/openapi/read/user/userslug/edit.yaml | 15 +++++++++++++++ src/controllers/accounts/edit.js | 3 ++- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/public/openapi/components/schemas/UserObject.yaml b/public/openapi/components/schemas/UserObject.yaml index d10acf63bc..c2b3177637 100644 --- a/public/openapi/components/schemas/UserObject.yaml +++ b/public/openapi/components/schemas/UserObject.yaml @@ -512,21 +512,6 @@ UserObjectFull: - name - visibility - public - sso: - type: array - items: - type: object - properties: - associated: - type: boolean - url: - type: string - name: - type: string - icon: - type: string - deauthUrl: - type: string websiteLink: type: string websiteName: diff --git a/public/openapi/read/user/userslug/edit.yaml b/public/openapi/read/user/userslug/edit.yaml index 734ea32abf..8ba486b5e8 100644 --- a/public/openapi/read/user/userslug/edit.yaml +++ b/public/openapi/read/user/userslug/edit.yaml @@ -47,6 +47,21 @@ get: type: number defaultAvatar: type: string + sso: + type: array + items: + type: object + properties: + associated: + type: boolean + url: + type: string + name: + type: string + icon: + type: string + deauthUrl: + type: string groupSelectSize: type: number title: diff --git a/src/controllers/accounts/edit.js b/src/controllers/accounts/edit.js index 9b6526ad80..8560f043e8 100644 --- a/src/controllers/accounts/edit.js +++ b/src/controllers/accounts/edit.js @@ -41,7 +41,8 @@ editController.get = async function (req, res) { payload.groups = _groups.filter(g => g && g.userTitleEnabled && !groups.isPrivilegeGroup(g.name) && g.name !== 'registered-users'); if (req.uid === res.locals.uid || canManageUsers) { - payload.sso = await plugins.hooks.fire('filter:auth.list', { uid: res.locals.uid, associations: [] }); + const { associations } = await plugins.hooks.fire('filter:auth.list', { uid: res.locals.uid, associations: [] }); + payload.sso = associations; } if (!allowMultipleBadges) {