From 837808eba389f1f74da8200b35d1fdc7ea14900e Mon Sep 17 00:00:00 2001
From: Joram Wilander <jwawilander@gmail.com>
Date: Wed, 14 Sep 2016 08:57:33 -0400
Subject: Update getUser API and add it to the JS driver (#4020)

---
 api/user.go                       |  9 +++----
 api/user_test.go                  | 50 ++++++++++++++++++++++++++++++++++++---
 webapp/client/client.jsx          |  9 +++++++
 webapp/tests/client_user.test.jsx | 15 ++++++++++++
 4 files changed, 74 insertions(+), 9 deletions(-)

diff --git a/api/user.go b/api/user.go
index adcc44f30..35cc3612e 100644
--- a/api/user.go
+++ b/api/user.go
@@ -932,18 +932,15 @@ func getUser(c *Context, w http.ResponseWriter, r *http.Request) {
 	params := mux.Vars(r)
 	id := params["user_id"]
 
-	if !HasPermissionToUser(c, id) {
-		return
-	}
-
 	if result := <-Srv.Store.User().Get(id); result.Err != nil {
 		c.Err = result.Err
 		return
 	} else if HandleEtag(result.Data.(*model.User).Etag(utils.Cfg.PrivacySettings.ShowFullName, utils.Cfg.PrivacySettings.ShowEmailAddress), w, r) {
 		return
 	} else {
-		result.Data.(*model.User).Sanitize(map[string]bool{})
-		w.Header().Set(model.HEADER_ETAG_SERVER, result.Data.(*model.User).Etag(utils.Cfg.PrivacySettings.ShowFullName, utils.Cfg.PrivacySettings.ShowEmailAddress))
+		user := sanitizeProfile(c, result.Data.(*model.User))
+
+		w.Header().Set(model.HEADER_ETAG_SERVER, user.Etag(utils.Cfg.PrivacySettings.ShowFullName, utils.Cfg.PrivacySettings.ShowEmailAddress))
 		w.Write([]byte(result.Data.(*model.User).ToJson()))
 		return
 	}
diff --git a/api/user_test.go b/api/user_test.go
index d2c15f730..a68d1199a 100644
--- a/api/user_test.go
+++ b/api/user_test.go
@@ -345,7 +345,7 @@ func TestGetUser(t *testing.T) {
 	LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team))
 	store.Must(Srv.Store.User().VerifyEmail(ruser.Data.(*model.User).Id))
 
-	user2 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"}
+	user2 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1", FirstName: "Corey", LastName: "Hulen"}
 	ruser2, _ := Client.CreateUser(&user2, "")
 	LinkUserToTeam(ruser2.Data.(*model.User), rteam.Data.(*model.Team))
 	store.Must(Srv.Store.User().VerifyEmail(ruser2.Data.(*model.User).Id))
@@ -387,8 +387,52 @@ func TestGetUser(t *testing.T) {
 		t.Fatal("shouldn't exist")
 	}
 
-	if _, err := Client.GetUser(ruser2.Data.(*model.User).Id, ""); err == nil {
-		t.Fatal("shouldn't have accss")
+	emailPrivacy := utils.Cfg.PrivacySettings.ShowEmailAddress
+	namePrivacy := utils.Cfg.PrivacySettings.ShowFullName
+	defer func() {
+		utils.Cfg.PrivacySettings.ShowEmailAddress = emailPrivacy
+		utils.Cfg.PrivacySettings.ShowFullName = namePrivacy
+	}()
+	utils.Cfg.PrivacySettings.ShowEmailAddress = false
+	utils.Cfg.PrivacySettings.ShowFullName = false
+
+	if result, err := Client.GetUser(ruser2.Data.(*model.User).Id, ""); err != nil {
+		t.Fatal(err)
+	} else {
+		u := result.Data.(*model.User)
+		if u.Password != "" {
+			t.Fatal("password must be empty")
+		}
+		if *u.AuthData != "" {
+			t.Fatal("auth data must be empty")
+		}
+		if u.Email != "" {
+			t.Fatal("email should be sanitized")
+		}
+		if u.FirstName != "" {
+			t.Fatal("full name should be sanitized")
+		}
+		if u.LastName != "" {
+			t.Fatal("full name should be sanitized")
+		}
+	}
+
+	utils.Cfg.PrivacySettings.ShowEmailAddress = true
+	utils.Cfg.PrivacySettings.ShowFullName = true
+
+	if result, err := Client.GetUser(ruser2.Data.(*model.User).Id, ""); err != nil {
+		t.Fatal(err)
+	} else {
+		u := result.Data.(*model.User)
+		if u.Email == "" {
+			t.Fatal("email should not be sanitized")
+		}
+		if u.FirstName == "" {
+			t.Fatal("full name should not be sanitized")
+		}
+		if u.LastName == "" {
+			t.Fatal("full name should not be sanitized")
+		}
 	}
 
 	if userMap, err := Client.GetProfiles(rteam.Data.(*model.Team).Id, ""); err != nil {
diff --git a/webapp/client/client.jsx b/webapp/client/client.jsx
index 6aabee080..a5d179a0d 100644
--- a/webapp/client/client.jsx
+++ b/webapp/client/client.jsx
@@ -856,6 +856,15 @@ export default class Client {
             end(this.handleResponse.bind(this, 'getMe', success, error));
     }
 
+    getUser(userId, success, error) {
+        request.
+            get(`${this.getUserNeededRoute(userId)}/get`).
+            set(this.defaultHeaders).
+            type('application/json').
+            accept('application/json').
+            end(this.handleResponse.bind(this, 'getUser', success, error));
+    }
+
     login(loginId, password, mfaToken, success, error) {
         this.doLogin({login_id: loginId, password, token: mfaToken}, success, error);
 
diff --git a/webapp/tests/client_user.test.jsx b/webapp/tests/client_user.test.jsx
index 116eee4ae..6c65e8ef5 100644
--- a/webapp/tests/client_user.test.jsx
+++ b/webapp/tests/client_user.test.jsx
@@ -21,6 +21,21 @@ describe('Client.User', function() {
         });
     });
 
+    it('getUser', function(done) {
+        TestHelper.initBasic(() => {
+            TestHelper.basicClient().getUser(
+                TestHelper.basicUser().id,
+                function(data) {
+                    assert.equal(data.id, TestHelper.basicUser().id);
+                    done();
+                },
+                function(err) {
+                    done(new Error(err.message));
+                }
+            );
+        });
+    });
+
     it('getInitialLoad', function(done) {
         TestHelper.initBasic(() => {
             TestHelper.basicClient().getInitialLoad(
-- 
cgit v1.2.3-1-g7c22