Hide some user information via API if user have no enough permission (#8655)
* Hide some user information via API if user have no enough permission * fix test
This commit is contained in:
parent
ab791fe7bb
commit
bd7709a602
@ -29,7 +29,6 @@ func TestAPITeamUser(t *testing.T) {
|
|||||||
var user2 *api.User
|
var user2 *api.User
|
||||||
DecodeJSON(t, resp, &user2)
|
DecodeJSON(t, resp, &user2)
|
||||||
user2.Created = user2.Created.In(time.Local)
|
user2.Created = user2.Created.In(time.Local)
|
||||||
user2.LastLogin = user2.LastLogin.In(time.Local)
|
|
||||||
user := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)
|
user := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)
|
||||||
|
|
||||||
assert.Equal(t, convert.ToUser(user, true, false), user2)
|
assert.Equal(t, convert.ToUser(user, true, false), user2)
|
||||||
|
@ -237,12 +237,9 @@ func ToTeam(team *models.Team) *api.Team {
|
|||||||
// ToUser convert models.User to api.User
|
// ToUser convert models.User to api.User
|
||||||
func ToUser(user *models.User, signed, authed bool) *api.User {
|
func ToUser(user *models.User, signed, authed bool) *api.User {
|
||||||
result := &api.User{
|
result := &api.User{
|
||||||
ID: user.ID,
|
|
||||||
UserName: user.Name,
|
UserName: user.Name,
|
||||||
AvatarURL: user.AvatarLink(),
|
AvatarURL: user.AvatarLink(),
|
||||||
FullName: markup.Sanitize(user.FullName),
|
FullName: markup.Sanitize(user.FullName),
|
||||||
IsAdmin: user.IsAdmin,
|
|
||||||
LastLogin: user.LastLoginUnix.AsTime(),
|
|
||||||
Created: user.CreatedUnix.AsTime(),
|
Created: user.CreatedUnix.AsTime(),
|
||||||
}
|
}
|
||||||
// hide primary email if API caller isn't user itself or an admin
|
// hide primary email if API caller isn't user itself or an admin
|
||||||
@ -250,8 +247,11 @@ func ToUser(user *models.User, signed, authed bool) *api.User {
|
|||||||
result.Email = ""
|
result.Email = ""
|
||||||
} else if user.KeepEmailPrivate && !authed {
|
} else if user.KeepEmailPrivate && !authed {
|
||||||
result.Email = user.GetEmail()
|
result.Email = user.GetEmail()
|
||||||
} else {
|
} else { // only user himself and admin could visit these information
|
||||||
|
result.ID = user.ID
|
||||||
result.Email = user.Email
|
result.Email = user.Email
|
||||||
|
result.IsAdmin = user.IsAdmin
|
||||||
|
result.LastLogin = user.LastLoginUnix.AsTime()
|
||||||
}
|
}
|
||||||
return result
|
return result
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user