GetUserDetails doesnt return users own email (#1240)
* user: GetUserDetails doesnt return users own email * user: rename get_user to get_user_dangerous, apply suggested changes
This commit is contained in:
parent
1fd5486def
commit
fc36ae22c9
2 changed files with 25 additions and 5 deletions
|
@ -487,16 +487,28 @@ impl Perform for GetUserDetails {
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
let user_view = blocking(context.pool(), move |conn| {
|
let user_id = user.map(|u| u.id);
|
||||||
|
let user_fun = move |conn: &'_ _| {
|
||||||
|
match user_id {
|
||||||
|
// if there's a logged in user and it's the same id as the user whose details are being
|
||||||
|
// requested we need to use get_user_dangerous so it returns their email or other sensitive
|
||||||
|
// data hidden when viewing users other than yourself
|
||||||
|
Some(auth_user_id) => if user_details_id == auth_user_id {
|
||||||
|
UserView::get_user_dangerous(conn, auth_user_id)
|
||||||
|
} else {
|
||||||
UserView::get_user_secure(conn, user_details_id)
|
UserView::get_user_secure(conn, user_details_id)
|
||||||
})
|
}
|
||||||
.await??;
|
None => UserView::get_user_secure(conn, user_details_id)
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
let user_view = blocking(context.pool(), user_fun).await??;
|
||||||
|
|
||||||
let page = data.page;
|
let page = data.page;
|
||||||
let limit = data.limit;
|
let limit = data.limit;
|
||||||
let saved_only = data.saved_only;
|
let saved_only = data.saved_only;
|
||||||
let community_id = data.community_id;
|
let community_id = data.community_id;
|
||||||
let user_id = user.map(|u| u.id);
|
|
||||||
let (posts, comments) = blocking(context.pool(), move |conn| {
|
let (posts, comments) = blocking(context.pool(), move |conn| {
|
||||||
let mut posts_query = PostQueryBuilder::create(conn)
|
let mut posts_query = PostQueryBuilder::create(conn)
|
||||||
.sort(&sort)
|
.sort(&sort)
|
||||||
|
|
|
@ -240,6 +240,14 @@ impl UserView {
|
||||||
.load::<Self>(conn)
|
.load::<Self>(conn)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// WARNING!!! this method WILL return sensitive user information and should only be called
|
||||||
|
// if the user requesting these details is also the authenticated user.
|
||||||
|
// please use get_user_secure to obtain user rows in most cases.
|
||||||
|
pub fn get_user_dangerous(conn: &PgConnection, user_id: i32) -> Result<Self, Error> {
|
||||||
|
use super::user_view::user_fast::dsl::*;
|
||||||
|
user_fast.find(user_id).first::<Self>(conn)
|
||||||
|
}
|
||||||
|
|
||||||
pub fn get_user_secure(conn: &PgConnection, user_id: i32) -> Result<Self, Error> {
|
pub fn get_user_secure(conn: &PgConnection, user_id: i32) -> Result<Self, Error> {
|
||||||
use super::user_view::user_fast::dsl::*;
|
use super::user_view::user_fast::dsl::*;
|
||||||
use diesel::sql_types::{Nullable, Text};
|
use diesel::sql_types::{Nullable, Text};
|
||||||
|
|
Loading…
Reference in a new issue