From eeedba697be8467dad69833f466db6f8fb8c55d3 Mon Sep 17 00:00:00 2001
From: Baris Usakli <barisusakli@gmail.com>
Date: Wed, 8 Nov 2017 14:06:52 -0500
Subject: [PATCH] closes #5804

---
 src/user.js      |  9 +++++----
 src/user/data.js | 36 +++++++++++++++++++++++-------------
 test/user.js     | 38 +++++++++++++++++++++++++++++++++++++-
 3 files changed, 65 insertions(+), 18 deletions(-)

diff --git a/src/user.js b/src/user.js
index 577afee7a4..3275e25db3 100644
--- a/src/user.js
+++ b/src/user.js
@@ -102,10 +102,11 @@ User.getUsersWithFields = function (uids, fields, uid, callback) {
 };
 
 User.getUsers = function (uids, uid, callback) {
-	var fields = ['uid', 'username', 'userslug', 'picture', 'status', 'flags',
-		'banned', 'banned:expire', 'joindate', 'postcount', 'reputation', 'email:confirmed', 'lastonline'];
-
-	User.getUsersWithFields(uids, fields, uid, callback);
+	User.getUsersWithFields(uids, [
+		'uid', 'username', 'userslug', 'picture', 'status',
+		'postcount', 'reputation', 'email:confirmed', 'lastonline',
+		'flags', 'banned', 'banned:expire', 'joindate',
+	], uid, callback);
 };
 
 User.getStatus = function (userData) {
diff --git a/src/user/data.js b/src/user/data.js
index a0e89924af..131d034f96 100644
--- a/src/user/data.js
+++ b/src/user/data.js
@@ -11,8 +11,20 @@ var plugins = require('../plugins');
 var utils = require('../utils');
 
 module.exports = function (User) {
-	var iconBackgrounds = ['#f44336', '#e91e63', '#9c27b0', '#673ab7', '#3f51b5', '#2196f3',
-		'#009688', '#1b5e20', '#33691e', '#827717', '#e65100', '#ff5722', '#795548', '#607d8b'];
+	var iconBackgrounds = [
+		'#f44336', '#e91e63', '#9c27b0', '#673ab7', '#3f51b5', '#2196f3',
+		'#009688', '#1b5e20', '#33691e', '#827717', '#e65100', '#ff5722',
+		'#795548', '#607d8b',
+	];
+
+	var fieldWhitelist = [
+		'uid', 'username', 'userslug', 'email', 'email:confirmed', 'joindate',
+		'lastonline', 'picture', 'fullname', 'location', 'birthday', 'website',
+		'aboutme', 'signature', 'uploadedpicture', 'profileviews', 'reputation',
+		'postcount', 'topiccount', 'lastposttime', 'banned', 'banned:expire',
+		'status', 'flags', 'followerCount', 'followingCount', 'cover:url',
+		'cover:position', 'groupTitle',
+	];
 
 	User.getUserField = function (uid, field, callback) {
 		User.getUserFields(uid, [field], function (err, user) {
@@ -48,7 +60,6 @@ module.exports = function (User) {
 		}
 
 		if (fields.indexOf('picture') !== -1) {
-			addField('email');
 			addField('uploadedpicture');
 		}
 
@@ -62,11 +73,18 @@ module.exports = function (User) {
 
 		async.waterfall([
 			function (next) {
+				plugins.fireHook('filter:user.whitelistFields', { uids: uids, whitelist: fieldWhitelist.slice() }, next);
+			},
+			function (results, next) {
 				if (fields.length) {
-					db.getObjectsFields(uidsToUserKeys(uniqueUids), fields, next);
+					fields = fields.filter(function (field) {
+						return field && results.whitelist.includes(field);
+					});
 				} else {
-					db.getObjects(uidsToUserKeys(uniqueUids), next);
+					fields = results.whitelist;
 				}
+
+				db.getObjectsFields(uidsToUserKeys(uniqueUids), fields, next);
 			},
 			function (users, next) {
 				users = uidsToUsers(uids, uniqueUids, users);
@@ -118,14 +136,6 @@ module.exports = function (User) {
 				user.username = validator.escape(user.username ? user.username.toString() : '');
 			}
 
-			if (user.password) {
-				user.password = undefined;
-			}
-
-			if (user.rss_token) {
-				user.rss_token = undefined;
-			}
-
 			if (!parseInt(user.uid, 10)) {
 				user.uid = 0;
 				user.username = '[[global:guest]]';
diff --git a/test/user.js b/test/user.js
index d37e55e485..0decbfe0f6 100644
--- a/test/user.js
+++ b/test/user.js
@@ -490,12 +490,48 @@ describe('User', function () {
 		it('should get user data even if one uid is NaN', function (done) {
 			User.getUsersData([NaN, testUid], function (err, data) {
 				assert.ifError(err);
-				assert.equal(data[0], null);
+				assert(data[0]);
+				assert.equal(data[0].username, '[[global:guest]]');
 				assert(data[1]);
 				assert.equal(data[1].username, userData.username);
 				done();
 			});
 		});
+
+		it('should not return private user data', function (done) {
+			User.setUserFields(testUid, {
+				fb_token: '123123123',
+				another_secret: 'abcde',
+				postcount: '123',
+			}, function (err) {
+				assert.ifError(err);
+				User.getUserData(testUid, function (err, userData) {
+					assert.ifError(err);
+					assert(!userData.hasOwnProperty('fb_token'));
+					assert(!userData.hasOwnProperty('another_secret'));
+					assert(!userData.hasOwnProperty('password'));
+					assert(!userData.hasOwnProperty('rss_token'));
+					assert.equal(userData.postcount, '123');
+					done();
+				});
+			});
+		});
+
+		it('should return private data if field is whitelisted', function (done) {
+			function filterMethod(data, callback) {
+				data.whitelist.push('another_secret');
+				callback(null, data);
+			}
+
+			plugins.registerHook('test-plugin', { hook: 'filter:user.whitelistFields', method: filterMethod });
+			User.getUserData(testUid, function (err, userData) {
+				assert.ifError(err);
+				assert(!userData.hasOwnProperty('fb_token'));
+				assert.equal(userData.another_secret, 'abcde');
+				plugins.unregisterHook('test-plugin', 'filter:user.whitelistFields', filterMethod);
+				done();
+			});
+		});
 	});
 
 	describe('not logged in', function () {