From f7509433b15ae0082c521cb5ca6f40495e78555d Mon Sep 17 00:00:00 2001 From: evazion Date: Fri, 28 Apr 2017 23:24:23 -0500 Subject: [PATCH] /users.json: make private attributes visible to the user themselves (fix #1551). --- app/models/user.rb | 23 ++++++++++++++++++++--- test/functional/users_controller_test.rb | 18 ++++++++++++++++++ 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/app/models/user.rb b/app/models/user.rb index 8512f9bda..880b47043 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -652,15 +652,32 @@ class User < ActiveRecord::Base end module ApiMethods + # blacklist all attributes by default. whitelist only safe attributes. def hidden_attributes - super + [:password_hash, :bcrypt_password_hash, :email, :email_verification_key, :time_zone, :updated_at, :receive_email_notifications, :last_logged_in_at, :last_forum_read_at, :has_mail, :default_image_size, :comment_threshold, :always_resize_images, :favorite_tags, :blacklisted_tags, :recent_tags, :enable_privacy_mode, :enable_post_navigation, :new_post_navigation_layout, :enable_sequential_post_navigation, :hide_deleted_posts, :per_page, :style_usernames, :enable_auto_complete, :custom_style, :show_deleted_children, :has_saved_searches, :last_ip_addr, :bit_prefs, :favorite_count] + super + attributes.keys.map(&:to_sym) end def method_attributes - list = super + [:is_banned, :can_approve_posts, :can_upload_free, :is_super_voter, :level_string] + list = super + [ + :id, :created_at, :name, :inviter_id, :level, :base_upload_limit, + :post_upload_count, :post_update_count, :note_update_count, + :is_banned, :can_approve_posts, :can_upload_free, :is_super_voter, + :level_string, + ] + if id == CurrentUser.user.id - list += [:remaining_api_limit, :api_burst_limit] + list += BOOLEAN_ATTRIBUTES + [ + :updated_at, :email, :last_logged_in_at, :last_forum_read_at, + :recent_tags, :comment_threshold, :default_image_size, + :favorite_tags, :blacklisted_tags, :time_zone, :per_page, + :custom_style, :favorite_count, + :api_regen_multiplier, :api_burst_limit, :remaining_api_limit, + :statement_timeout, :favorite_group_limit, :favorite_limit, + :tag_query_limit, :can_comment_vote?, :can_remove_from_pools?, + :is_comment_limited?, :can_comment?, :can_upload?, :max_saved_searches, + ] end + list end diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb index d63fe5432..a26200236 100644 --- a/test/functional/users_controller_test.rb +++ b/test/functional/users_controller_test.rb @@ -46,6 +46,24 @@ class UsersControllerTest < ActionController::TestCase get :show, {:id => @user.id} assert_response :success end + + should "show hidden attributes to the owner" do + get :show, {id: @user.id, format: :json}, {user_id: @user.id} + json = JSON.parse(response.body) + + assert_response :success + assert_not_nil(json["last_logged_in_at"]) + end + + should "not show hidden attributes to others" do + another = FactoryGirl.create(:user) + + get :show, {id: another.id, format: :json}, {user_id: @user.id} + json = JSON.parse(response.body) + + assert_response :success + assert_nil(json["last_logged_in_at"]) + end end context "new action" do