Hide some user information via API if user have no enough permission (#8655) (#8657)

* Hide some user information via API if user have no enough permission

* fix test
This commit is contained in:
Lunny Xiao 2019-10-24 13:59:53 +08:00 committed by Lauris BH
parent 1d10747514
commit 14ebda6fd5
2 changed files with 4 additions and 5 deletions

View file

@ -29,7 +29,6 @@ func TestAPITeamUser(t *testing.T) {
var user2 *api.User var user2 *api.User
DecodeJSON(t, resp, &user2) DecodeJSON(t, resp, &user2)
user2.Created = user2.Created.In(time.Local) user2.Created = user2.Created.In(time.Local)
user2.LastLogin = user2.LastLogin.In(time.Local)
user := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User) user := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)
assert.Equal(t, convert.ToUser(user, true, false), user2) assert.Equal(t, convert.ToUser(user, true, false), user2)

View file

@ -232,12 +232,9 @@ func ToTeam(team *models.Team) *api.Team {
// ToUser convert models.User to api.User // ToUser convert models.User to api.User
func ToUser(user *models.User, signed, authed bool) *api.User { func ToUser(user *models.User, signed, authed bool) *api.User {
result := &api.User{ result := &api.User{
ID: user.ID,
UserName: user.Name, UserName: user.Name,
AvatarURL: user.AvatarLink(), AvatarURL: user.AvatarLink(),
FullName: markup.Sanitize(user.FullName), FullName: markup.Sanitize(user.FullName),
IsAdmin: user.IsAdmin,
LastLogin: user.LastLoginUnix.AsTime(),
Created: user.CreatedUnix.AsTime(), Created: user.CreatedUnix.AsTime(),
} }
// hide primary email if API caller isn't user itself or an admin // hide primary email if API caller isn't user itself or an admin
@ -245,8 +242,11 @@ func ToUser(user *models.User, signed, authed bool) *api.User {
result.Email = "" result.Email = ""
} else if user.KeepEmailPrivate && !authed { } else if user.KeepEmailPrivate && !authed {
result.Email = user.GetEmail() result.Email = user.GetEmail()
} else { } else { // only user himself and admin could visit these information
result.ID = user.ID
result.Email = user.Email result.Email = user.Email
result.IsAdmin = user.IsAdmin
result.LastLogin = user.LastLoginUnix.AsTime()
} }
return result return result
} }