Sanitize user following config for ShowFullName and ShowEmailAddress (#4820)

2023-07-26 08:42:22 -04:00 · 2023-07-26 08:42:22 -04:00 · 3625c53527
commit 3625c53527
parent 257cc5f1fd
5 changed files with 45 additions and 1 deletions
--- a/server/api/users.go
+++ b/server/api/users.go
@ -89,6 +89,18 @@ func (a *API) handleGetUsersList(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 	ctx := r.Context()
 	session := ctx.Value(sessionContextKey).(*model.Session)
 	isSystemAdmin := a.permissions.HasPermissionTo(session.UserID, model.PermissionManageSystem)
 	for _, user := range users {
 		if user.ID == session.UserID {
 			user.Sanitize(map[string]bool{})
 		} else {
 			a.app.SanitizeProfile(user, isSystemAdmin)
 		}
 	}
 	usersList, err := json.Marshal(users)
 	if err != nil {
 		a.errorResponse(w, r, err)
@ -170,6 +182,7 @@ func (a *API) handleGetMe(w http.ResponseWriter, r *http.Request) {
 		user.Permissions = append(user.Permissions, model.PermissionCreatePost.Id)
 	}
 	user.Sanitize(map[string]bool{})
 	userData, err := json.Marshal(user)
 	if err != nil {
 		a.errorResponse(w, r, err)
@ -278,6 +291,12 @@ func (a *API) handleGetUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if userID == session.UserID {
 		user.Sanitize(map[string]bool{})
 	} else {
 		a.app.SanitizeProfile(user, a.permissions.HasPermissionTo(session.UserID, model.PermissionManageSystem))
 	}
 	userData, err := json.Marshal(user)
 	if err != nil {
 		a.errorResponse(w, r, err)
--- a/server/app/user.go
+++ b/server/app/user.go
@ -80,3 +80,15 @@ func (a *App) SearchUserChannels(teamID string, userID string, query string) ([]
 func (a *App) GetChannel(teamID string, channelID string) (*mmModel.Channel, error) {
 	return a.store.GetChannel(teamID, channelID)
 }
 func (a *App) SanitizeProfile(user *model.User, isAdmin bool) {
 	options := map[string]bool{}
 	if isAdmin {
 		options["fullname"] = true
 		options["email"] = true
 	} else {
 		options["fullname"] = a.config.ShowFullName
 		options["email"] = a.config.ShowEmailAddress
 	}
 	user.Sanitize(options)
 }
--- a/server/model/user.go
+++ b/server/model/user.go
@ -101,3 +101,16 @@ func UserFromJSON(data io.Reader) (*User, error) {
 	}
 	return &user, nil
 }
 func (u *User) Sanitize(options map[string]bool) {
 	u.Password = ""
 	u.MfaSecret = ""
 	if len(options) != 0 && !options["email"] {
 		u.Email = ""
 	}
 	if len(options) != 0 && !options["fullname"] {
 		u.FirstName = ""
 		u.LastName = ""
 	}
 }
--- a/server/services/store/mattermostauthlayer/mattermostauthlayer.go
+++ b/server/services/store/mattermostauthlayer/mattermostauthlayer.go
@ -93,6 +93,7 @@ func (s *MattermostAuthLayer) GetUserByID(userID string) (*model.User, error) {
 	if err != nil {
 		return nil, err
 	}
 	user := mmUserToFbUser(mmuser)
 	return &user, nil
 }
--- a/server/services/store/mattermostauthlayer/mattermostauthlayer_test.go
+++ b/server/services/store/mattermostauthlayer/mattermostauthlayer_test.go
@ -18,7 +18,6 @@ var errTest = errors.New("failed to patch bot")
 func TestGetBoardsBotID(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	servicesAPI := mockservicesapi.NewMockServicesAPI(ctrl)
 	mmAuthLayer, _ := New("test", nil, nil, mlog.CreateConsoleTestLogger(true, mlog.LvlError), servicesAPI, "")
 	servicesAPI.EXPECT().EnsureBot(model.FocalboardBot).Return("", errTest)