Update getUser API and add it to the JS driver (#4020)

2 files changed, 50 insertions, 9 deletions

diff --git a/api/user.go b/api/user.go
index adcc44f30..35cc3612e 100644
--- a/api/user.go
+++ b/api/user.go
@@ -932,18 +932,15 @@ func getUser(c *Context, w http.ResponseWriter, r *http.Request) {
 	params := mux.Vars(r)
 	id := params["user_id"]
 
-	if !HasPermissionToUser(c, id) {
-		return
-	}
-
 	if result := <-Srv.Store.User().Get(id); result.Err != nil {
 		c.Err = result.Err
 		return
 	} else if HandleEtag(result.Data.(*model.User).Etag(utils.Cfg.PrivacySettings.ShowFullName, utils.Cfg.PrivacySettings.ShowEmailAddress), w, r) {
 		return
 	} else {
-		result.Data.(*model.User).Sanitize(map[string]bool{})
-		w.Header().Set(model.HEADER_ETAG_SERVER, result.Data.(*model.User).Etag(utils.Cfg.PrivacySettings.ShowFullName, utils.Cfg.PrivacySettings.ShowEmailAddress))
+		user := sanitizeProfile(c, result.Data.(*model.User))
+
+		w.Header().Set(model.HEADER_ETAG_SERVER, user.Etag(utils.Cfg.PrivacySettings.ShowFullName, utils.Cfg.PrivacySettings.ShowEmailAddress))
 		w.Write([]byte(result.Data.(*model.User).ToJson()))
 		return
 	}
diff --git a/api/user_test.go b/api/user_test.go
index d2c15f730..a68d1199a 100644
--- a/api/user_test.go
+++ b/api/user_test.go
@@ -345,7 +345,7 @@ func TestGetUser(t *testing.T) {
 	LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team))
 	store.Must(Srv.Store.User().VerifyEmail(ruser.Data.(*model.User).Id))
 
-	user2 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"}
+	user2 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1", FirstName: "Corey", LastName: "Hulen"}
 	ruser2, _ := Client.CreateUser(&user2, "")
 	LinkUserToTeam(ruser2.Data.(*model.User), rteam.Data.(*model.Team))
 	store.Must(Srv.Store.User().VerifyEmail(ruser2.Data.(*model.User).Id))
@@ -387,8 +387,52 @@ func TestGetUser(t *testing.T) {
 		t.Fatal("shouldn't exist")
 	}
 
-	if _, err := Client.GetUser(ruser2.Data.(*model.User).Id, ""); err == nil {
-		t.Fatal("shouldn't have accss")
+	emailPrivacy := utils.Cfg.PrivacySettings.ShowEmailAddress
+	namePrivacy := utils.Cfg.PrivacySettings.ShowFullName
+	defer func() {
+		utils.Cfg.PrivacySettings.ShowEmailAddress = emailPrivacy
+		utils.Cfg.PrivacySettings.ShowFullName = namePrivacy
+	}()
+	utils.Cfg.PrivacySettings.ShowEmailAddress = false
+	utils.Cfg.PrivacySettings.ShowFullName = false
+
+	if result, err := Client.GetUser(ruser2.Data.(*model.User).Id, ""); err != nil {
+		t.Fatal(err)
+	} else {
+		u := result.Data.(*model.User)
+		if u.Password != "" {
+			t.Fatal("password must be empty")
+		}
+		if *u.AuthData != "" {
+			t.Fatal("auth data must be empty")
+		}
+		if u.Email != "" {
+			t.Fatal("email should be sanitized")
+		}
+		if u.FirstName != "" {
+			t.Fatal("full name should be sanitized")
+		}
+		if u.LastName != "" {
+			t.Fatal("full name should be sanitized")
+		}
+	}
+
+	utils.Cfg.PrivacySettings.ShowEmailAddress = true
+	utils.Cfg.PrivacySettings.ShowFullName = true
+
+	if result, err := Client.GetUser(ruser2.Data.(*model.User).Id, ""); err != nil {
+		t.Fatal(err)
+	} else {
+		u := result.Data.(*model.User)
+		if u.Email == "" {
+			t.Fatal("email should not be sanitized")
+		}
+		if u.FirstName == "" {
+			t.Fatal("full name should not be sanitized")
+		}
+		if u.LastName == "" {
+			t.Fatal("full name should not be sanitized")
+		}
 	}
 
 	if userMap, err := Client.GetProfiles(rteam.Data.(*model.Team).Id, ""); err != nil {