From fc36ae22c928e41831c5162ea878ff481e96e129 Mon Sep 17 00:00:00 2001 From: eiknat <68170752+eiknat@users.noreply.github.com> Date: Fri, 30 Oct 2020 18:19:47 -0400 Subject: [PATCH] GetUserDetails doesnt return users own email (#1240) * user: GetUserDetails doesnt return users own email * user: rename get_user to get_user_dangerous, apply suggested changes --- lemmy_api/src/user.rs | 22 +++++++++++++++++----- lemmy_db/src/user_view.rs | 8 ++++++++ 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/lemmy_api/src/user.rs b/lemmy_api/src/user.rs index 02accc87c..1d5aa19a2 100644 --- a/lemmy_api/src/user.rs +++ b/lemmy_api/src/user.rs @@ -487,16 +487,28 @@ impl Perform for GetUserDetails { } }; - let user_view = blocking(context.pool(), move |conn| { - UserView::get_user_secure(conn, user_details_id) - }) - .await??; + let user_id = user.map(|u| u.id); + let user_fun = move |conn: &'_ _| { + match user_id { + // if there's a logged in user and it's the same id as the user whose details are being + // requested we need to use get_user_dangerous so it returns their email or other sensitive + // data hidden when viewing users other than yourself + Some(auth_user_id) => if user_details_id == auth_user_id { + UserView::get_user_dangerous(conn, auth_user_id) + } else { + UserView::get_user_secure(conn, user_details_id) + } + None => UserView::get_user_secure(conn, user_details_id) + } + }; + + let user_view = blocking(context.pool(), user_fun).await??; let page = data.page; let limit = data.limit; let saved_only = data.saved_only; let community_id = data.community_id; - let user_id = user.map(|u| u.id); + let (posts, comments) = blocking(context.pool(), move |conn| { let mut posts_query = PostQueryBuilder::create(conn) .sort(&sort) diff --git a/lemmy_db/src/user_view.rs b/lemmy_db/src/user_view.rs index b0c28d31c..bf85280ac 100644 --- a/lemmy_db/src/user_view.rs +++ b/lemmy_db/src/user_view.rs @@ -240,6 +240,14 @@ impl UserView { .load::(conn) } + // WARNING!!! this method WILL return sensitive user information and should only be called + // if the user requesting these details is also the authenticated user. + // please use get_user_secure to obtain user rows in most cases. + pub fn get_user_dangerous(conn: &PgConnection, user_id: i32) -> Result { + use super::user_view::user_fast::dsl::*; + user_fast.find(user_id).first::(conn) + } + pub fn get_user_secure(conn: &PgConnection, user_id: i32) -> Result { use super::user_view::user_fast::dsl::*; use diesel::sql_types::{Nullable, Text};