Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-01 11:35:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: hide private user data in api/v3/users/[uid]

Browse Source
This commit is contained in:
gasoved
2021-06-21 19:58:31 +03:00
committed by Julian Lam
parent d9e2190a6b
commit 97c8569a79
3 changed files with 55 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/controllers/write/users.js
View File

@@ -44,7 +44,9 @@ Users.exists = async (req, res) => {
}; };
Users.get = async (req, res) => { Users.get = async (req, res) => {
helpers.formatApiResponse(200, res, await user.getUserData(req.params.uid)); const userData = await user.getUserData(req.params.uid);
const publicUserData = await user.hidePrivateData(userData, req.uid);
helpers.formatApiResponse(200, res, publicUserData);
}; };
Users.update = async (req, res) => { Users.update = async (req, res) => {

21
src/user/data.js
View File

@@ -141,6 +141,27 @@ module.exports = function (User) {
return await User.getUsersFields(uids, []); return await User.getUsersFields(uids, []);
}; };
User.hidePrivateData = async function (userData, callerUID) {
const _userData = { ...userData };
const isSelf = parseInt(callerUID, 10) === parseInt(_userData.uid, 10);
const [userSettings, isAdmin, isGlobalModerator] = await Promise.all([
User.getSettings(_userData.uid),
User.isAdministrator(callerUID),
User.isGlobalModerator(callerUID),
]);
const privilegedOrSelf = isAdmin || isGlobalModerator || isSelf;
if (!privilegedOrSelf && (!userSettings.showemail || meta.config.hideEmail)) {
_userData.email = '';
}
if (!privilegedOrSelf && (!userSettings.showfullname || meta.config.hideFullname)) {
_userData.fullname = '';
}
return _userData;
};
async function modifyUserData(users, requestedFields, fieldsToRemove) { async function modifyUserData(users, requestedFields, fieldsToRemove) {
let uidToSettings = {}; let uidToSettings = {};
if (meta.config.showFullnameAsDisplayName) { if (meta.config.showFullnameAsDisplayName) {

46
test/user.js
View File

@@ -2509,32 +2509,48 @@ describe('User', () => {
}); });
describe('hideEmail/hideFullname', () => { describe('hideEmail/hideFullname', () => {
const COMMON_PW = '123456';
let uid; let uid;
let jar;
let regularUserUid;
before(async () => {
uid = await User.create({
username: 'hiddenemail',
email: 'should@be.hidden',
fullname: 'baris soner usakli',
});
regularUserUid = await User.create({
username: 'regularUser',
password: COMMON_PW,
});
jar = await new Promise((resolve, reject) => {
helpers.loginUser('regularUser', COMMON_PW, async (err, _jar) => {
if (err) {
reject(err);
}
resolve(_jar);
});
});
});
after((done) => { after((done) => {
meta.config.hideEmail = 0; meta.config.hideEmail = 0;
meta.config.hideFullname = 0; meta.config.hideFullname = 0;
done(); done();
}); });
it('should hide email and fullname', (done) => { it('should hide email and fullname', async () => {
meta.config.hideEmail = 1; meta.config.hideEmail = 1;
meta.config.hideFullname = 1; meta.config.hideFullname = 1;
User.create({ const userData1 = await requestAsync(`${nconf.get('url')}/api/user/hiddenemail`, { json: true });
username: 'hiddenemail', assert.strictEqual(userData1.fullname, '');
email: 'should@be.hidden', assert.strictEqual(userData1.email, '');
fullname: 'baris soner usakli',
}, (err, _uid) => {
uid = _uid;
assert.ifError(err);
request(`${nconf.get('url')}/api/user/hiddenemail`, { json: true }, (err, res, body) => {
assert.ifError(err);
assert.equal(body.fullname, '');
assert.equal(body.email, '');
done(); const { response } = await requestAsync(`${nconf.get('url')}/api/v3/users/${uid}`, { json: true, jar: jar });
}); assert.strictEqual(response.fullname, '');
}); assert.strictEqual(response.email, '');
}); });
it('should hide fullname in topic list and topic', (done) => { it('should hide fullname in topic list and topic', (done) => {