fix: hide private user data in api/v3/users/[uid]

2025-11-01 03:26:04 +01:00 · 2021-06-21 19:58:31 +03:00
parent d9e2190a6b
commit 97c8569a79
3 changed files with 55 additions and 16 deletions
--- a/src/controllers/write/users.js
+++ b/src/controllers/write/users.js
@@ -44,7 +44,9 @@ Users.exists = async (req, res) => {
 };

 Users.get = async (req, res) => {
-	helpers.formatApiResponse(200, res, await user.getUserData(req.params.uid));
+	const userData = await user.getUserData(req.params.uid);
+	const publicUserData = await user.hidePrivateData(userData, req.uid);
+	helpers.formatApiResponse(200, res, publicUserData);
 };

 Users.update = async (req, res) => {
--- a/src/user/data.js
+++ b/src/user/data.js
@@ -141,6 +141,27 @@ module.exports = function (User) {
 		return await User.getUsersFields(uids, []);
 	};

+	User.hidePrivateData = async function (userData, callerUID) {
+		const _userData = { ...userData };
+
+		const isSelf = parseInt(callerUID, 10) === parseInt(_userData.uid, 10);
+		const [userSettings, isAdmin, isGlobalModerator] = await Promise.all([
+			User.getSettings(_userData.uid),
+			User.isAdministrator(callerUID),
+			User.isGlobalModerator(callerUID),
+		]);
+		const privilegedOrSelf = isAdmin || isGlobalModerator || isSelf;
+
+		if (!privilegedOrSelf && (!userSettings.showemail || meta.config.hideEmail)) {
+			_userData.email = '';
+		}
+		if (!privilegedOrSelf && (!userSettings.showfullname || meta.config.hideFullname)) {
+			_userData.fullname = '';
+		}
+
+		return _userData;
+	};
+
 	async function modifyUserData(users, requestedFields, fieldsToRemove) {
 		let uidToSettings = {};
 		if (meta.config.showFullnameAsDisplayName) {
--- a/test/user.js
+++ b/test/user.js
@@ -2509,32 +2509,48 @@ describe('User', () => {
 	});

 	describe('hideEmail/hideFullname', () => {
+		const COMMON_PW = '123456';
 		let uid;
+		let jar;
+		let regularUserUid;
+
+		before(async () => {
+			uid = await User.create({
+				username: 'hiddenemail',
+				email: 'should@be.hidden',
+				fullname: 'baris soner usakli',
+			});
+			regularUserUid = await User.create({
+				username: 'regularUser',
+				password: COMMON_PW,
+			});
+			jar = await new Promise((resolve, reject) => {
+				helpers.loginUser('regularUser', COMMON_PW, async (err, _jar) => {
+					if (err) {
+						reject(err);
+					}
+					resolve(_jar);
+				});
+			});
+		});
+
 		after((done) => {
 			meta.config.hideEmail = 0;
 			meta.config.hideFullname = 0;
 			done();
 		});

-		it('should hide email and fullname', (done) => {
+		it('should hide email and fullname', async () => {
 			meta.config.hideEmail = 1;
 			meta.config.hideFullname = 1;

-			User.create({
-				username: 'hiddenemail',
-				email: 'should@be.hidden',
-				fullname: 'baris soner usakli',
-			}, (err, _uid) => {
-				uid = _uid;
-				assert.ifError(err);
-				request(`${nconf.get('url')}/api/user/hiddenemail`, { json: true }, (err, res, body) => {
-					assert.ifError(err);
-					assert.equal(body.fullname, '');
-					assert.equal(body.email, '');
+			const userData1 = await requestAsync(`${nconf.get('url')}/api/user/hiddenemail`, { json: true });
+			assert.strictEqual(userData1.fullname, '');
+			assert.strictEqual(userData1.email, '');

-					done();
-				});
-			});
+			const { response } = await requestAsync(`${nconf.get('url')}/api/v3/users/${uid}`, { json: true, jar: jar });
+			assert.strictEqual(response.fullname, '');
+			assert.strictEqual(response.email, '');
 		});

 		it('should hide fullname in topic list and topic', (done) => {