diff --git a/server/api/users.go b/server/api/users.go index 90932d4d6..9b5789f7b 100644 --- a/server/api/users.go +++ b/server/api/users.go @@ -9,6 +9,8 @@ import ( "github.com/mattermost/focalboard/server/model" "github.com/mattermost/focalboard/server/services/audit" "github.com/mattermost/focalboard/server/utils" + + mmModel "github.com/mattermost/mattermost-server/v6/model" ) func (a *API) registerUsersRoutes(r *mux.Router) { @@ -89,6 +91,18 @@ func (a *API) handleGetUsersList(w http.ResponseWriter, r *http.Request) { } } + ctx := r.Context() + session := ctx.Value(sessionContextKey).(*model.Session) + isSystemAdmin := a.permissions.HasPermissionTo(session.UserID, mmModel.PermissionManageSystem) + + for _, user := range users { + if user.ID == session.UserID { + user.Sanitize(map[string]bool{}) + } else { + a.app.SanitizeProfile(user, isSystemAdmin) + } + } + usersList, err := json.Marshal(users) if err != nil { a.errorResponse(w, r, err) @@ -146,6 +160,7 @@ func (a *API) handleGetMe(w http.ResponseWriter, r *http.Request) { } } + user.Sanitize(map[string]bool{}) userData, err := json.Marshal(user) if err != nil { a.errorResponse(w, r, err) @@ -254,6 +269,12 @@ func (a *API) handleGetUser(w http.ResponseWriter, r *http.Request) { return } + if userID == session.UserID { + user.Sanitize(map[string]bool{}) + } else { + a.app.SanitizeProfile(user, a.permissions.HasPermissionTo(session.UserID, mmModel.PermissionManageSystem)) + } + userData, err := json.Marshal(user) if err != nil { a.errorResponse(w, r, err) diff --git a/server/app/user.go b/server/app/user.go index af409187e..f1c539b23 100644 --- a/server/app/user.go +++ b/server/app/user.go @@ -56,3 +56,15 @@ func (a *App) SearchUserChannels(teamID string, userID string, query string) ([] func (a *App) GetChannel(teamID string, channelID string) (*mmModel.Channel, error) { return a.store.GetChannel(teamID, channelID) } + +func (a *App) SanitizeProfile(user *model.User, isAdmin bool) { + options := map[string]bool{} + if isAdmin { + options["fullname"] = true + options["email"] = true + } else { + options["fullname"] = a.config.ShowFullName + options["email"] = a.config.ShowEmailAddress + } + user.Sanitize(options) +} diff --git a/server/model/user.go b/server/model/user.go index 7b48cb0a4..bb72fc127 100644 --- a/server/model/user.go +++ b/server/model/user.go @@ -98,3 +98,16 @@ func UserFromJSON(data io.Reader) (*User, error) { } return &user, nil } + +func (u *User) Sanitize(options map[string]bool) { + u.Password = "" + u.MfaSecret = "" + + if len(options) != 0 && !options["email"] { + u.Email = "" + } + if len(options) != 0 && !options["fullname"] { + u.FirstName = "" + u.LastName = "" + } +} diff --git a/server/services/store/mattermostauthlayer/mattermostauthlayer.go b/server/services/store/mattermostauthlayer/mattermostauthlayer.go index d2b86e893..67c9a0ee7 100644 --- a/server/services/store/mattermostauthlayer/mattermostauthlayer.go +++ b/server/services/store/mattermostauthlayer/mattermostauthlayer.go @@ -93,6 +93,7 @@ func (s *MattermostAuthLayer) GetUserByID(userID string) (*model.User, error) { if err != nil { return nil, err } + user := mmUserToFbUser(mmuser) return &user, nil } diff --git a/server/services/store/mattermostauthlayer/mattermostauthlayer_test.go b/server/services/store/mattermostauthlayer/mattermostauthlayer_test.go index 3db253f90..b1a340913 100644 --- a/server/services/store/mattermostauthlayer/mattermostauthlayer_test.go +++ b/server/services/store/mattermostauthlayer/mattermostauthlayer_test.go @@ -18,7 +18,6 @@ var errTest = errors.New("failed to patch bot") func TestGetBoardsBotID(t *testing.T) { ctrl := gomock.NewController(t) servicesAPI := mockservicesapi.NewMockServicesAPI(ctrl) - mmAuthLayer, _ := New("test", nil, nil, mlog.CreateConsoleTestLogger(true, mlog.LvlError), servicesAPI, "") servicesAPI.EXPECT().EnsureBot(model.FocalboardBot).Return("", errTest)