GetUserDetails doesnt return users own email (#1240)

* user: GetUserDetails doesnt return users own email

* user: rename get_user to get_user_dangerous, apply suggested changes
This commit is contained in:
eiknat 2020-10-30 18:19:47 -04:00 committed by GitHub
parent 1fd5486def
commit fc36ae22c9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 5 deletions

View file

@ -487,16 +487,28 @@ impl Perform for GetUserDetails {
} }
}; };
let user_view = blocking(context.pool(), move |conn| { let user_id = user.map(|u| u.id);
let user_fun = move |conn: &'_ _| {
match user_id {
// if there's a logged in user and it's the same id as the user whose details are being
// requested we need to use get_user_dangerous so it returns their email or other sensitive
// data hidden when viewing users other than yourself
Some(auth_user_id) => if user_details_id == auth_user_id {
UserView::get_user_dangerous(conn, auth_user_id)
} else {
UserView::get_user_secure(conn, user_details_id) UserView::get_user_secure(conn, user_details_id)
}) }
.await??; None => UserView::get_user_secure(conn, user_details_id)
}
};
let user_view = blocking(context.pool(), user_fun).await??;
let page = data.page; let page = data.page;
let limit = data.limit; let limit = data.limit;
let saved_only = data.saved_only; let saved_only = data.saved_only;
let community_id = data.community_id; let community_id = data.community_id;
let user_id = user.map(|u| u.id);
let (posts, comments) = blocking(context.pool(), move |conn| { let (posts, comments) = blocking(context.pool(), move |conn| {
let mut posts_query = PostQueryBuilder::create(conn) let mut posts_query = PostQueryBuilder::create(conn)
.sort(&sort) .sort(&sort)

View file

@ -240,6 +240,14 @@ impl UserView {
.load::<Self>(conn) .load::<Self>(conn)
} }
// WARNING!!! this method WILL return sensitive user information and should only be called
// if the user requesting these details is also the authenticated user.
// please use get_user_secure to obtain user rows in most cases.
pub fn get_user_dangerous(conn: &PgConnection, user_id: i32) -> Result<Self, Error> {
use super::user_view::user_fast::dsl::*;
user_fast.find(user_id).first::<Self>(conn)
}
pub fn get_user_secure(conn: &PgConnection, user_id: i32) -> Result<Self, Error> { pub fn get_user_secure(conn: &PgConnection, user_id: i32) -> Result<Self, Error> {
use super::user_view::user_fast::dsl::*; use super::user_view::user_fast::dsl::*;
use diesel::sql_types::{Nullable, Text}; use diesel::sql_types::{Nullable, Text};