diff --git a/server/api/users.go b/server/api/users.go index 4d88e41bc..8310ed5b5 100644 --- a/server/api/users.go +++ b/server/api/users.go @@ -89,6 +89,18 @@ func (a *API) handleGetUsersList(w http.ResponseWriter, r *http.Request) { } } + ctx := r.Context() + session := ctx.Value(sessionContextKey).(*model.Session) + isSystemAdmin := a.permissions.HasPermissionTo(session.UserID, model.PermissionManageSystem) + + for _, user := range users { + if user.ID == session.UserID { + user.Sanitize(map[string]bool{}) + } else { + a.app.SanitizeProfile(user, isSystemAdmin) + } + } + usersList, err := json.Marshal(users) if err != nil { a.errorResponse(w, r, err) @@ -170,6 +182,7 @@ func (a *API) handleGetMe(w http.ResponseWriter, r *http.Request) { user.Permissions = append(user.Permissions, model.PermissionCreatePost.Id) } + user.Sanitize(map[string]bool{}) userData, err := json.Marshal(user) if err != nil { a.errorResponse(w, r, err) @@ -278,6 +291,12 @@ func (a *API) handleGetUser(w http.ResponseWriter, r *http.Request) { return } + if userID == session.UserID { + user.Sanitize(map[string]bool{}) + } else { + a.app.SanitizeProfile(user, a.permissions.HasPermissionTo(session.UserID, model.PermissionManageSystem)) + } + userData, err := json.Marshal(user) if err != nil { a.errorResponse(w, r, err) diff --git a/server/app/user.go b/server/app/user.go index bfddca40c..92f3f5b87 100644 --- a/server/app/user.go +++ b/server/app/user.go @@ -80,3 +80,15 @@ func (a *App) SearchUserChannels(teamID string, userID string, query string) ([] func (a *App) GetChannel(teamID string, channelID string) (*mmModel.Channel, error) { return a.store.GetChannel(teamID, channelID) } + +func (a *App) SanitizeProfile(user *model.User, isAdmin bool) { + options := map[string]bool{} + if isAdmin { + options["fullname"] = true + options["email"] = true + } else { + options["fullname"] = a.config.ShowFullName + options["email"] = a.config.ShowEmailAddress + } + user.Sanitize(options) +} diff --git a/server/model/user.go b/server/model/user.go index 37c1f946d..1840e082f 100644 --- a/server/model/user.go +++ b/server/model/user.go @@ -101,3 +101,16 @@ func UserFromJSON(data io.Reader) (*User, error) { } return &user, nil } + +func (u *User) Sanitize(options map[string]bool) { + u.Password = "" + u.MfaSecret = "" + + if len(options) != 0 && !options["email"] { + u.Email = "" + } + if len(options) != 0 && !options["fullname"] { + u.FirstName = "" + u.LastName = "" + } +} diff --git a/server/services/store/mattermostauthlayer/mattermostauthlayer.go b/server/services/store/mattermostauthlayer/mattermostauthlayer.go index 2696b382c..01a80aeda 100644 --- a/server/services/store/mattermostauthlayer/mattermostauthlayer.go +++ b/server/services/store/mattermostauthlayer/mattermostauthlayer.go @@ -93,6 +93,7 @@ func (s *MattermostAuthLayer) GetUserByID(userID string) (*model.User, error) { if err != nil { return nil, err } + user := mmUserToFbUser(mmuser) return &user, nil } diff --git a/server/services/store/mattermostauthlayer/mattermostauthlayer_test.go b/server/services/store/mattermostauthlayer/mattermostauthlayer_test.go index 3db253f90..b1a340913 100644 --- a/server/services/store/mattermostauthlayer/mattermostauthlayer_test.go +++ b/server/services/store/mattermostauthlayer/mattermostauthlayer_test.go @@ -18,7 +18,6 @@ var errTest = errors.New("failed to patch bot") func TestGetBoardsBotID(t *testing.T) { ctrl := gomock.NewController(t) servicesAPI := mockservicesapi.NewMockServicesAPI(ctrl) - mmAuthLayer, _ := New("test", nil, nil, mlog.CreateConsoleTestLogger(true, mlog.LvlError), servicesAPI, "") servicesAPI.EXPECT().EnsureBot(model.FocalboardBot).Return("", errTest)