diff options
author | Joram Wilander <jwawilander@gmail.com> | 2016-12-02 12:24:22 -0500 |
---|---|---|
committer | Christopher Speller <crspeller@gmail.com> | 2016-12-02 12:24:22 -0500 |
commit | ea26c72dad3bc1a2ccb020310b635bd6484a1b15 (patch) | |
tree | ec73bb8521deb49fbd08033ef0543c2f0311cdda /api | |
parent | c952985ffd035f95e82fef2fbc2e8bd48ab9ec3b (diff) | |
download | chat-ea26c72dad3bc1a2ccb020310b635bd6484a1b15.tar.gz chat-ea26c72dad3bc1a2ccb020310b635bd6484a1b15.tar.bz2 chat-ea26c72dad3bc1a2ccb020310b635bd6484a1b15.zip |
PLT-4710 User search now obeys privacy settings (#4673)
* Consider privacy settings in user search
* Add sysadmin as exception to privacy settings for user search
Diffstat (limited to 'api')
-rw-r--r-- | api/user.go | 33 | ||||
-rw-r--r-- | api/user_test.go | 137 |
2 files changed, 168 insertions, 2 deletions
diff --git a/api/user.go b/api/user.go index f5f2582b3..e5d00ea36 100644 --- a/api/user.go +++ b/api/user.go @@ -2648,6 +2648,21 @@ func searchUsers(c *Context, w http.ResponseWriter, r *http.Request) { searchOptions := map[string]bool{} searchOptions[store.USER_SEARCH_OPTION_ALLOW_INACTIVE] = props.AllowInactive + if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + hideFullName := !utils.Cfg.PrivacySettings.ShowFullName + hideEmail := !utils.Cfg.PrivacySettings.ShowEmailAddress + + if hideFullName && hideEmail { + searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true + } else if hideFullName { + searchOptions[store.USER_SEARCH_OPTION_ALL_NO_FULL_NAME] = true + } else if hideEmail { + searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true + } + + c.Err = nil + } + var uchan store.StoreChannel if props.InChannelId != "" { uchan = Srv.Store.User().SearchInChannel(props.InChannelId, props.Term, searchOptions) @@ -2711,7 +2726,14 @@ func autocompleteUsersInChannel(c *Context, w http.ResponseWriter, r *http.Reque } searchOptions := map[string]bool{} - searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true + + hideFullName := !utils.Cfg.PrivacySettings.ShowFullName + if hideFullName && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true + c.Err = nil + } else { + searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true + } uchan := Srv.Store.User().SearchInChannel(channelId, term, searchOptions) nuchan := Srv.Store.User().SearchNotInChannel(teamId, channelId, term, searchOptions) @@ -2760,7 +2782,14 @@ func autocompleteUsersInTeam(c *Context, w http.ResponseWriter, r *http.Request) } searchOptions := map[string]bool{} - searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true + + hideFullName := !utils.Cfg.PrivacySettings.ShowFullName + if hideFullName && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true + c.Err = nil + } else { + searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true + } uchan := Srv.Store.User().Search(teamId, term, searchOptions) diff --git a/api/user_test.go b/api/user_test.go index 02ea71c83..13ae45f6e 100644 --- a/api/user_test.go +++ b/api/user_test.go @@ -2240,6 +2240,112 @@ func TestSearchUsers(t *testing.T) { } } + emailPrivacy := utils.Cfg.PrivacySettings.ShowEmailAddress + namePrivacy := utils.Cfg.PrivacySettings.ShowFullName + defer func() { + utils.Cfg.PrivacySettings.ShowEmailAddress = emailPrivacy + utils.Cfg.PrivacySettings.ShowFullName = namePrivacy + }() + utils.Cfg.PrivacySettings.ShowEmailAddress = false + utils.Cfg.PrivacySettings.ShowFullName = false + + privacyEmailPrefix := strings.ToLower(model.NewId()) + privacyUser := &model.User{Email: privacyEmailPrefix + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1", FirstName: model.NewId(), LastName: "Jimmers"} + privacyUser = Client.Must(Client.CreateUser(privacyUser, "")).Data.(*model.User) + LinkUserToTeam(privacyUser, th.BasicTeam) + + if result, err := Client.SearchUsers(model.UserSearch{Term: privacyUser.FirstName}); err != nil { + t.Fatal(err) + } else { + users := result.Data.([]*model.User) + + found := false + for _, user := range users { + if user.Id == privacyUser.Id { + found = true + } + } + + if found { + t.Fatal("should not have found profile") + } + } + + utils.Cfg.PrivacySettings.ShowEmailAddress = true + + if result, err := Client.SearchUsers(model.UserSearch{Term: privacyUser.FirstName}); err != nil { + t.Fatal(err) + } else { + users := result.Data.([]*model.User) + + found := false + for _, user := range users { + if user.Id == privacyUser.Id { + found = true + } + } + + if found { + t.Fatal("should not have found profile") + } + } + + utils.Cfg.PrivacySettings.ShowEmailAddress = false + utils.Cfg.PrivacySettings.ShowFullName = true + + if result, err := Client.SearchUsers(model.UserSearch{Term: privacyUser.FirstName}); err != nil { + t.Fatal(err) + } else { + users := result.Data.([]*model.User) + + found := false + for _, user := range users { + if user.Id == privacyUser.Id { + found = true + } + } + + if !found { + t.Fatal("should have found profile") + } + } + + if result, err := Client.SearchUsers(model.UserSearch{Term: privacyEmailPrefix}); err != nil { + t.Fatal(err) + } else { + users := result.Data.([]*model.User) + + found := false + for _, user := range users { + if user.Id == privacyUser.Id { + found = true + } + } + + if found { + t.Fatal("should not have found profile") + } + } + + utils.Cfg.PrivacySettings.ShowEmailAddress = true + + if result, err := Client.SearchUsers(model.UserSearch{Term: privacyEmailPrefix}); err != nil { + t.Fatal(err) + } else { + users := result.Data.([]*model.User) + + found := false + for _, user := range users { + if user.Id == privacyUser.Id { + found = true + } + } + + if !found { + t.Fatal("should have found profile") + } + } + th.LoginBasic2() if result, err := Client.SearchUsers(model.UserSearch{Term: th.BasicUser.Username}); err != nil { @@ -2364,6 +2470,37 @@ func TestAutocompleteUsers(t *testing.T) { } } + namePrivacy := utils.Cfg.PrivacySettings.ShowFullName + defer func() { + utils.Cfg.PrivacySettings.ShowFullName = namePrivacy + }() + utils.Cfg.PrivacySettings.ShowFullName = false + + privacyUser := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1", FirstName: model.NewId(), LastName: "Jimmers"} + privacyUser = Client.Must(Client.CreateUser(privacyUser, "")).Data.(*model.User) + LinkUserToTeam(privacyUser, th.BasicTeam) + + if result, err := Client.AutocompleteUsersInChannel(privacyUser.FirstName, th.BasicChannel.Id); err != nil { + t.Fatal(err) + } else { + autocomplete := result.Data.(*model.UserAutocompleteInChannel) + if len(autocomplete.InChannel) != 0 { + t.Fatal("should have returned no users") + } + if len(autocomplete.OutOfChannel) != 0 { + t.Fatal("should have returned no users") + } + } + + if result, err := Client.AutocompleteUsersInTeam(privacyUser.FirstName); err != nil { + t.Fatal(err) + } else { + autocomplete := result.Data.(*model.UserAutocompleteInTeam) + if len(autocomplete.InTeam) != 0 { + t.Fatal("should have returned no users") + } + } + if _, err := Client.AutocompleteUsersInChannel("", "junk"); err == nil { t.Fatal("should have errored - bad channel id") } |