Don't sanitize returned user when updating a user (#6095)

* Don't sanitize returned user when updating a user

* Use user model function for clearing private data

4 files changed, 36 insertions, 54 deletions

diff --git a/api4/user_test.go b/api4/user_test.go
index d044cee9b..9a360c7e4 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -739,6 +739,8 @@ func TestPatchUser(t *testing.T) {
 	patch.LastName = new(string)
 	*patch.LastName = "Wilander"
 	patch.Position = new(string)
+	patch.NotifyProps = model.StringMap{}
+	patch.NotifyProps["comment"] = "somethingrandom"
 
 	ruser, resp := Client.PatchUser(user.Id, patch)
 	CheckNoError(t, resp)
@@ -759,6 +761,9 @@ func TestPatchUser(t *testing.T) {
 	if ruser.Username != user.Username {
 		t.Fatal("Username should not have updated")
 	}
+	if ruser.NotifyProps["comment"] != "somethingrandom" {
+		t.Fatal("NotifyProps did not update properly")
+	}
 
 	_, resp = Client.PatchUser("junk", patch)
 	CheckBadRequestStatus(t, resp)
diff --git a/app/user.go b/app/user.go
index e339dfd5b..827ad18f9 100644
--- a/app/user.go
+++ b/app/user.go
@@ -942,9 +942,7 @@ func UpdateUserAsUser(user *model.User, asAdmin bool) (*model.User, *model.AppEr
 		return nil, err
 	}
 
-	SanitizeProfile(updatedUser, asAdmin)
-
-	sendUpdatedUserEvent(updatedUser)
+	sendUpdatedUserEvent(*updatedUser, asAdmin)
 
 	return updatedUser, nil
 }
@@ -962,14 +960,14 @@ func PatchUser(userId string, patch *model.UserPatch, asAdmin bool) (*model.User
 		return nil, err
 	}
 
-	SanitizeProfile(updatedUser, asAdmin)
-
-	sendUpdatedUserEvent(updatedUser)
+	sendUpdatedUserEvent(*updatedUser, asAdmin)
 
 	return updatedUser, nil
 }
 
-func sendUpdatedUserEvent(user *model.User) {
+func sendUpdatedUserEvent(user model.User, asAdmin bool) {
+	SanitizeProfile(&user, asAdmin)
+
 	omitUsers := make(map[string]bool, 1)
 	omitUsers[user.Id] = true
 	message := model.NewWebSocketEvent(model.WEBSOCKET_EVENT_USER_UPDATED, "", "", "", omitUsers)
diff --git a/model/user.go b/model/user.go
index 7cb3d0b70..1c390a121 100644
--- a/model/user.go
+++ b/model/user.go
@@ -67,15 +67,15 @@ type User struct {
 }
 
 type UserPatch struct {
-	Username    *string    `json:"username"`
-	Nickname    *string    `json:"nickname"`
-	FirstName   *string    `json:"first_name"`
-	LastName    *string    `json:"last_name"`
-	Position    *string    `json:"position"`
-	Email       *string    `json:"email"`
-	Props       *StringMap `json:"props,omitempty"`
-	NotifyProps *StringMap `json:"notify_props,omitempty"`
-	Locale      *string    `json:"locale"`
+	Username    *string   `json:"username"`
+	Nickname    *string   `json:"nickname"`
+	FirstName   *string   `json:"first_name"`
+	LastName    *string   `json:"last_name"`
+	Position    *string   `json:"position"`
+	Email       *string   `json:"email"`
+	Props       StringMap `json:"props,omitempty"`
+	NotifyProps StringMap `json:"notify_props,omitempty"`
+	Locale      *string   `json:"locale"`
 }
 
 // IsValid validates the user and returns an error if it isn't configured
@@ -267,11 +267,11 @@ func (u *User) Patch(patch *UserPatch) {
 	}
 
 	if patch.Props != nil {
-		u.Props = *patch.Props
+		u.Props = patch.Props
 	}
 
 	if patch.NotifyProps != nil {
-		u.NotifyProps = *patch.NotifyProps
+		u.NotifyProps = patch.NotifyProps
 	}
 
 	if patch.Locale != nil {
diff --git a/store/sql_user_store.go b/store/sql_user_store.go
index 91c27cf3e..8bd16f696 100644
--- a/store/sql_user_store.go
+++ b/store/sql_user_store.go
@@ -192,6 +192,8 @@ func (us SqlUserStore) Update(user *model.User, trustedUpdateData bool) StoreCha
 			} else if count != 1 {
 				result.Err = model.NewLocAppError("SqlUserStore.Update", "store.sql_user.update.app_error", nil, fmt.Sprintf("user_id=%v, count=%v", user.Id, count))
 			} else {
+				user.Sanitize(map[string]bool{})
+				oldUser.Sanitize(map[string]bool{})
 				result.Data = [2]*model.User{user, oldUser}
 			}
 		}
@@ -458,9 +460,7 @@ func (us SqlUserStore) GetAllProfiles(offset int, limit int) StoreChannel {
 		} else {
 
 			for _, u := range users {
-				u.Password = ""
-				u.AuthData = new(string)
-				*u.AuthData = ""
+				u.Sanitize(map[string]bool{})
 			}
 
 			result.Data = users
@@ -507,9 +507,7 @@ func (us SqlUserStore) GetProfiles(teamId string, offset int, limit int) StoreCh
 		} else {
 
 			for _, u := range users {
-				u.Password = ""
-				u.AuthData = new(string)
-				*u.AuthData = ""
+				u.Sanitize(map[string]bool{})
 			}
 
 			result.Data = users
@@ -555,9 +553,7 @@ func (us SqlUserStore) GetProfilesInChannel(channelId string, offset int, limit
 		} else {
 
 			for _, u := range users {
-				u.Password = ""
-				u.AuthData = new(string)
-				*u.AuthData = ""
+				u.Sanitize(map[string]bool{})
 			}
 
 			result.Data = users
@@ -609,9 +605,7 @@ func (us SqlUserStore) GetAllProfilesInChannel(channelId string, allowFromCache
 			userMap := make(map[string]*model.User)
 
 			for _, u := range users {
-				u.Password = ""
-				u.AuthData = new(string)
-				*u.AuthData = ""
+				u.Sanitize(map[string]bool{})
 				userMap[u.Id] = u
 			}
 
@@ -657,9 +651,7 @@ func (us SqlUserStore) GetProfilesNotInChannel(teamId string, channelId string,
 		} else {
 
 			for _, u := range users {
-				u.Password = ""
-				u.AuthData = new(string)
-				*u.AuthData = ""
+				u.Sanitize(map[string]bool{})
 			}
 
 			result.Data = users
@@ -705,9 +697,7 @@ func (us SqlUserStore) GetProfilesWithoutTeam(offset int, limit int) StoreChanne
 		} else {
 
 			for _, u := range users {
-				u.Password = ""
-				u.AuthData = new(string)
-				*u.AuthData = ""
+				u.Sanitize(map[string]bool{})
 			}
 
 			result.Data = users
@@ -748,9 +738,7 @@ func (us SqlUserStore) GetProfilesByUsernames(usernames []string, teamId string)
 			userMap := make(map[string]*model.User)
 
 			for _, u := range users {
-				u.Password = ""
-				u.AuthData = new(string)
-				*u.AuthData = ""
+				u.Sanitize(map[string]bool{})
 				userMap[u.Id] = u
 			}
 
@@ -796,9 +784,7 @@ func (us SqlUserStore) GetRecentlyActiveUsersForTeam(teamId string) StoreChannel
 
 			for _, userWithLastActivityAt := range users {
 				u := userWithLastActivityAt.User
-				u.Password = ""
-				u.AuthData = new(string)
-				*u.AuthData = ""
+				u.Sanitize(map[string]bool{})
 				u.LastActivityAt = userWithLastActivityAt.LastActivityAt
 				userMap[u.Id] = &u
 			}
@@ -868,9 +854,8 @@ func (us SqlUserStore) GetProfileByIds(userIds []string, allowFromCache bool) St
 		} else {
 
 			for _, u := range users {
-				u.Password = ""
-				u.AuthData = new(string)
-				*u.AuthData = ""
+				u.Sanitize(map[string]bool{})
+
 				profileByIdsCache.AddWithExpiresInSecs(u.Id, u, PROFILE_BY_IDS_CACHE_SEC)
 			}
 
@@ -900,9 +885,7 @@ func (us SqlUserStore) GetSystemAdminProfiles() StoreChannel {
 			userMap := make(map[string]*model.User)
 
 			for _, u := range users {
-				u.Password = ""
-				u.AuthData = new(string)
-				*u.AuthData = ""
+				u.Sanitize(map[string]bool{})
 				userMap[u.Id] = u
 			}
 
@@ -1485,9 +1468,7 @@ func (us SqlUserStore) performSearch(searchQuery string, term string, options ma
 		result.Err = model.NewLocAppError("SqlUserStore.Search", "store.sql_user.search.app_error", nil, "term="+term+", "+"search_type="+searchType+", "+err.Error())
 	} else {
 		for _, u := range users {
-			u.Password = ""
-			u.AuthData = new(string)
-			*u.AuthData = ""
+			u.Sanitize(map[string]bool{})
 		}
 
 		result.Data = users
@@ -1560,9 +1541,7 @@ func (us SqlUserStore) GetProfilesNotInTeam(teamId string, offset int, limit int
 		} else {
 
 			for _, u := range users {
-				u.Password = ""
-				u.AuthData = new(string)
-				*u.AuthData = ""
+				u.Sanitize(map[string]bool{})
 			}
 
 			result.Data = users