GetUserDetails doesnt return users own email (#1240)

* user: GetUserDetails doesnt return users own email * user: rename get_user to get_user_dangerous, apply suggested changes
4 years ago · fc36ae22c9
parent 1fd5486def
commit fc36ae22c9
2 changed files with 25 additions and 5 deletions
--- a/lemmy_api/src/user.rs
+++ b/lemmy_api/src/user.rs
@ -487,16 +487,28 @@ impl Perform for GetUserDetails {
      }
    };

-    let user_view = blocking(context.pool(), move |conn| {
-      UserView::get_user_secure(conn, user_details_id)
-    })
-    .await??;
+    let user_id = user.map(|u| u.id);
+    let user_fun = move |conn: &'_ _| {
+      match user_id {
+        // if there's a logged in user and it's the same id as the user whose details are being
+        // requested we need to use get_user_dangerous so it returns their email or other sensitive
+        // data hidden when viewing users other than yourself
+        Some(auth_user_id) => if user_details_id == auth_user_id {
+          UserView::get_user_dangerous(conn, auth_user_id)
+        } else {
+          UserView::get_user_secure(conn, user_details_id)
+        }
+        None => UserView::get_user_secure(conn, user_details_id)
+      }
+    };
+
+    let user_view = blocking(context.pool(), user_fun).await??;

    let page = data.page;
    let limit = data.limit;
    let saved_only = data.saved_only;
    let community_id = data.community_id;
-    let user_id = user.map(|u| u.id);
+
    let (posts, comments) = blocking(context.pool(), move |conn| {
      let mut posts_query = PostQueryBuilder::create(conn)
        .sort(&sort)
--- a/lemmy_db/src/user_view.rs
+++ b/lemmy_db/src/user_view.rs
@ -240,6 +240,14 @@ impl UserView {
      .load::<Self>(conn)
  }

+  // WARNING!!! this method WILL return sensitive user information and should only be called
+  // if the user requesting these details is also the authenticated user.
+  // please use get_user_secure to obtain user rows in most cases.
+  pub fn get_user_dangerous(conn: &PgConnection, user_id: i32) -> Result<Self, Error> {
+    use super::user_view::user_fast::dsl::*;
+    user_fast.find(user_id).first::<Self>(conn)
+  }
+
  pub fn get_user_secure(conn: &PgConnection, user_id: i32) -> Result<Self, Error> {
    use super::user_view::user_fast::dsl::*;
    use diesel::sql_types::{Nullable, Text};