GetUserDetails doesnt return users own email (#1240)

author eiknat <68170752+eiknat@users.noreply.github.com>

Fri, 30 Oct 2020 22:19:47 +0000 (18:19 -0400)

committer GitHub <noreply@github.com>

Fri, 30 Oct 2020 22:19:47 +0000 (18:19 -0400)
author eiknat <68170752+eiknat@users.noreply.github.com>
Fri, 30 Oct 2020 22:19:47 +0000 (18:19 -0400)
committer GitHub <noreply@github.com>
Fri, 30 Oct 2020 22:19:47 +0000 (18:19 -0400)
diff --git a/lemmy_api/src/user.rs b/lemmy_api/src/user.rs

index 02accc87c29810b7697eb967e4d8241f4fef5e72..1d5aa19a260ddada725fc3cd4bb49f1b93f1f278 100644 (file)
--- a/lemmy_api/src/user.rs
+++ b/lemmy_api/src/user.rs
@@ -487,16 +487,28 @@ impl Perform for GetUserDetails {
        }
      };
  
-    let user_view = blocking(context.pool(), move |conn| {
-      UserView::get_user_secure(conn, user_details_id)
-    })
-    .await??;
+    let user_id = user.map(|u| u.id);
+    let user_fun = move |conn: &'_ _| {
+      match user_id {
+        // if there's a logged in user and it's the same id as the user whose details are being
+        // requested we need to use get_user_dangerous so it returns their email or other sensitive
+        // data hidden when viewing users other than yourself
+        Some(auth_user_id) => if user_details_id == auth_user_id {
+          UserView::get_user_dangerous(conn, auth_user_id)
+        } else {
+          UserView::get_user_secure(conn, user_details_id)
+        }
+        None => UserView::get_user_secure(conn, user_details_id)
+      }
+    };
+
+    let user_view = blocking(context.pool(), user_fun).await??;
  
      let page = data.page;
      let limit = data.limit;
      let saved_only = data.saved_only;
      let community_id = data.community_id;
-    let user_id = user.map(|u| u.id);
+
      let (posts, comments) = blocking(context.pool(), move |conn| {
        let mut posts_query = PostQueryBuilder::create(conn)
          .sort(&sort)
diff --git a/lemmy_db/src/user_view.rs b/lemmy_db/src/user_view.rs

index b0c28d31c3284bbbfa5cd1d9d9b298afc8f2da33..bf85280ac0370d1df7a61cb794d5c1dfed2f0a7d 100644 (file)
--- a/lemmy_db/src/user_view.rs
+++ b/lemmy_db/src/user_view.rs
@@ -240,6 +240,14 @@ impl UserView {
        .load::<Self>(conn)
    }
  
+  // WARNING!!! this method WILL return sensitive user information and should only be called
+  // if the user requesting these details is also the authenticated user.
+  // please use get_user_secure to obtain user rows in most cases.
+  pub fn get_user_dangerous(conn: &PgConnection, user_id: i32) -> Result<Self, Error> {
+    use super::user_view::user_fast::dsl::*;
+    user_fast.find(user_id).first::<Self>(conn)
+  }
+
    pub fn get_user_secure(conn: &PgConnection, user_id: i32) -> Result<Self, Error> {
      use super::user_view::user_fast::dsl::*;
      use diesel::sql_types::{Nullable, Text};
author	eiknat <68170752+eiknat@users.noreply.github.com>
	Fri, 30 Oct 2020 22:19:47 +0000 (18:19 -0400)
committer	GitHub <noreply@github.com>
	Fri, 30 Oct 2020 22:19:47 +0000 (18:19 -0400)
lemmy_api/src/user.rs		patch \| blob \| history
lemmy_db/src/user_view.rs		patch \| blob \| history