Dont expose user email via API
To prevent leaking of users info we reduce amount of user information retrieved via API for normal users. What user can get via API: * if not admin: only id, state, name, username and avatar_url * if admin: all user information * about himself: all informaion Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
This commit is contained in:
Dmitriy Zaporozhets
parent
d5b0f29c4a
commit
ae564c97d4
|
|
@ -37,13 +37,9 @@
|
|||
|
||||
projectUserFormatResult: (user) ->
|
||||
if user.avatar_url
|
||||
avatar = gon.relative_url_root + user.avatar_url
|
||||
else if gon.gravatar_enabled
|
||||
avatar = gon.gravatar_url
|
||||
avatar = avatar.replace('%{hash}', md5(user.email))
|
||||
avatar = avatar.replace('%{size}', '24')
|
||||
avatar = user.avatar_url
|
||||
else
|
||||
avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}"
|
||||
avatar = gon.default_avatar_url
|
||||
|
||||
if user.id == ''
|
||||
avatarMarkup = ''
|
||||
|
|
|
|||
|
|
@ -1,13 +1,9 @@
|
|||
$ ->
|
||||
userFormatResult = (user) ->
|
||||
if user.avatar_url
|
||||
avatar = gon.relative_url_root + user.avatar_url
|
||||
else if gon.gravatar_enabled
|
||||
avatar = gon.gravatar_url
|
||||
avatar = avatar.replace('%{hash}', md5(user.email))
|
||||
avatar = avatar.replace('%{size}', '24')
|
||||
avatar = user.avatar_url
|
||||
else
|
||||
avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}"
|
||||
avatar = gon.default_avatar_url
|
||||
|
||||
"<div class='user-result'>
|
||||
<div class='user-image'><img class='avatar s24' src='#{avatar}'></div>
|
||||
|
|
|
|||
|
|
@ -164,9 +164,8 @@ class ApplicationController < ActionController::Base
|
|||
def add_gon_variables
|
||||
gon.default_issues_tracker = Project.issues_tracker.default_value
|
||||
gon.api_version = API::API.version
|
||||
gon.gravatar_url = request.ssl? || Gitlab.config.gitlab.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url
|
||||
gon.relative_url_root = Gitlab.config.gitlab.relative_url_root
|
||||
gon.gravatar_enabled = Gitlab.config.gravatar.enabled
|
||||
gon.default_avatar_url = URI::join(Gitlab.config.gitlab.url, ActionController::Base.helpers.image_path('no_avatar.png')).to_s
|
||||
|
||||
if current_user
|
||||
gon.current_user_id = current_user.id
|
||||
|
|
|
|||
|
|
@ -60,23 +60,21 @@ module ApplicationHelper
|
|||
|
||||
def avatar_icon(user_email = '', size = nil)
|
||||
user = User.find_by(email: user_email)
|
||||
if user && user.avatar.present?
|
||||
user.avatar.url
|
||||
|
||||
if user
|
||||
user.avatar_url(size) || default_avatar
|
||||
else
|
||||
gravatar_icon(user_email, size)
|
||||
end
|
||||
end
|
||||
|
||||
def gravatar_icon(user_email = '', size = nil)
|
||||
size = 40 if size.nil? || size <= 0
|
||||
GravatarService.new.execute(user_email, size) ||
|
||||
default_avatar
|
||||
end
|
||||
|
||||
if !Gitlab.config.gravatar.enabled || user_email.blank?
|
||||
image_path('no_avatar.png')
|
||||
else
|
||||
gravatar_url = request.ssl? || gitlab_config.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url
|
||||
user_email.strip!
|
||||
sprintf gravatar_url, hash: Digest::MD5.hexdigest(user_email.downcase), size: size, email: user_email
|
||||
end
|
||||
def default_avatar
|
||||
image_path('no_avatar.png')
|
||||
end
|
||||
|
||||
def last_commit(project)
|
||||
|
|
|
|||
|
|
@ -482,4 +482,12 @@ class User < ActiveRecord::Base
|
|||
def public_profile?
|
||||
authorized_projects.public_only.any?
|
||||
end
|
||||
|
||||
def avatar_url(size = nil)
|
||||
if avatar.present?
|
||||
URI::join(Gitlab.config.gitlab.url, avatar.url).to_s
|
||||
else
|
||||
GravatarService.new.execute(email)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -1,28 +1,27 @@
|
|||
module API
|
||||
module Entities
|
||||
class User < Grape::Entity
|
||||
expose :id, :username, :email, :name, :bio, :skype, :linkedin, :twitter, :website_url,
|
||||
:theme_id, :color_scheme_id, :state, :created_at, :extern_uid, :provider
|
||||
expose :is_admin?, as: :is_admin
|
||||
expose :can_create_group?, as: :can_create_group
|
||||
expose :can_create_project?, as: :can_create_project
|
||||
|
||||
expose :avatar_url do |user, options|
|
||||
if user.avatar.present?
|
||||
user.avatar.url
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
class UserSafe < Grape::Entity
|
||||
expose :name, :username
|
||||
end
|
||||
|
||||
class UserBasic < Grape::Entity
|
||||
expose :id, :username, :email, :name, :state, :created_at
|
||||
class UserBasic < UserSafe
|
||||
expose :id, :state, :avatar_url
|
||||
end
|
||||
|
||||
class UserLogin < User
|
||||
class User < UserBasic
|
||||
expose :created_at
|
||||
expose :is_admin?, as: :is_admin
|
||||
expose :bio, :skype, :linkedin, :twitter, :website_url
|
||||
end
|
||||
|
||||
class UserFull < User
|
||||
expose :email
|
||||
expose :theme_id, :color_scheme_id, :extern_uid, :provider
|
||||
expose :can_create_group?, as: :can_create_group
|
||||
expose :can_create_project?, as: :can_create_project
|
||||
end
|
||||
|
||||
class UserLogin < UserFull
|
||||
expose :private_token
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -59,4 +59,3 @@ module API
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -209,7 +209,7 @@ module API
|
|||
@users = User.where(id: user_project.team.users.map(&:id))
|
||||
@users = @users.search(params[:search]) if params[:search].present?
|
||||
@users = paginate @users
|
||||
present @users, with: Entities::User
|
||||
present @users, with: Entities::UserBasic
|
||||
end
|
||||
|
||||
# Get a project labels
|
||||
|
|
|
|||
|
|
@ -13,7 +13,12 @@ module API
|
|||
@users = @users.active if params[:active].present?
|
||||
@users = @users.search(params[:search]) if params[:search].present?
|
||||
@users = paginate @users
|
||||
present @users, with: Entities::User
|
||||
|
||||
if current_user.is_admin?
|
||||
present @users, with: Entities::UserFull
|
||||
else
|
||||
present @users, with: Entities::UserBasic
|
||||
end
|
||||
end
|
||||
|
||||
# Get a single user
|
||||
|
|
@ -24,7 +29,12 @@ module API
|
|||
# GET /users/:id
|
||||
get ":id" do
|
||||
@user = User.find(params[:id])
|
||||
present @user, with: Entities::User
|
||||
|
||||
if current_user.is_admin?
|
||||
present @user, with: Entities::UserFull
|
||||
else
|
||||
present @user, with: Entities::UserBasic
|
||||
end
|
||||
end
|
||||
|
||||
# Create user. Available only for admin
|
||||
|
|
@ -53,7 +63,7 @@ module API
|
|||
admin = attrs.delete(:admin)
|
||||
user.admin = admin unless admin.nil?
|
||||
if user.save
|
||||
present user, with: Entities::User
|
||||
present user, with: Entities::UserFull
|
||||
else
|
||||
not_found!
|
||||
end
|
||||
|
|
@ -87,7 +97,7 @@ module API
|
|||
admin = attrs.delete(:admin)
|
||||
user.admin = admin unless admin.nil?
|
||||
if user.update_attributes(attrs, as: :admin)
|
||||
present user, with: Entities::User
|
||||
present user, with: Entities::UserFull
|
||||
else
|
||||
not_found!
|
||||
end
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ describe API::API, api: true do
|
|||
get api("/users", user)
|
||||
response.status.should == 200
|
||||
json_response.should be_an Array
|
||||
json_response.first['email'].should == user.email
|
||||
json_response.first['username'].should == user.username
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -29,7 +29,7 @@ describe API::API, api: true do
|
|||
it "should return a user by id" do
|
||||
get api("/users/#{user.id}", user)
|
||||
response.status.should == 200
|
||||
json_response['email'].should == user.email
|
||||
json_response['username'].should == user.username
|
||||
end
|
||||
|
||||
it "should return a 401 if unauthenticated" do
|
||||
|
|
|
|||
Loading…
Reference in New Issue