Dont expose user email via API

To prevent leaking of users info we reduce amount of user information retrieved via API for normal users. What user can get via API: * if not admin: only id, state, name, username and avatar_url * if admin: all user information * about himself: all informaion Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Dont expose user email via API
ae564c97 · Dmitriy Zaporozhets · d5b0f29c · ae564c97 · ae564c97 · ae564c97
Verified Commit ae564c97 authored 10 years ago by Dmitriy Zaporozhets
--- a/app/assets/javascripts/project_users_select.js.coffee
+++ b/app/assets/javascripts/project_users_select.js.coffee
@@ -37,13 +37,9 @@
  
  projectUserFormatResult: (user) ->
    if user.avatar_url
-      avatar = gon.relative_url_root + user.avatar_url
-    else if gon.gravatar_enabled
-      avatar = gon.gravatar_url
-      avatar = avatar.replace('%{hash}', md5(user.email))
-      avatar = avatar.replace('%{size}', '24')
+      avatar = user.avatar_url
    else
-      avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}"
+      avatar = gon.default_avatar_url
  
    if user.id == ''
      avatarMarkup = ''

--- a/app/assets/javascripts/users_select.js.coffee
+++ b/app/assets/javascripts/users_select.js.coffee
 $ ->
  userFormatResult = (user) ->
    if user.avatar_url
-      avatar = gon.relative_url_root + user.avatar_url
-    else if gon.gravatar_enabled
-      avatar = gon.gravatar_url
-      avatar = avatar.replace('%{hash}', md5(user.email))
-      avatar = avatar.replace('%{size}', '24')
+      avatar = user.avatar_url
    else
-      avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}"
+      avatar = gon.default_avatar_url
  
    "<div class='user-result'>
       <div class='user-image'><img class='avatar s24' src='#{avatar}'></div>

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -164,9 +164,8 @@ class ApplicationController < ActionController::Base
  def add_gon_variables
    gon.default_issues_tracker = Project.issues_tracker.default_value
    gon.api_version = API::API.version
-    gon.gravatar_url = request.ssl? || Gitlab.config.gitlab.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url
    gon.relative_url_root = Gitlab.config.gitlab.relative_url_root
-    gon.gravatar_enabled = Gitlab.config.gravatar.enabled
+    gon.default_avatar_url = URI::join(Gitlab.config.gitlab.url, ActionController::Base.helpers.image_path('no_avatar.png')).to_s
  
    if current_user
      gon.current_user_id = current_user.id

--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -60,23 +60,21 @@ module ApplicationHelper
  
  def avatar_icon(user_email = '', size = nil)
    user = User.find_by(email: user_email)
-    if user && user.avatar.present?
-      user.avatar.url
+
+    if user
+      user.avatar_url(size) || default_avatar
    else
      gravatar_icon(user_email, size)
    end
  end
  
  def gravatar_icon(user_email = '', size = nil)
-    size = 40 if size.nil? || size <= 0
+    GravatarService.new.execute(user_email, size) ||
+      default_avatar
+  end
  
-    if !Gitlab.config.gravatar.enabled || user_email.blank?
+  def default_avatar
    image_path('no_avatar.png')
-    else
-      gravatar_url = request.ssl? || gitlab_config.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url
-      user_email.strip!
-      sprintf gravatar_url, hash: Digest::MD5.hexdigest(user_email.downcase), size: size, email: user_email
-    end
  end
  
  def last_commit(project)

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -482,4 +482,12 @@ class User < ActiveRecord::Base
  def public_profile?
    authorized_projects.public_only.any?
  end
+
+  def avatar_url(size = nil)
+    if avatar.present?
+      URI::join(Gitlab.config.gitlab.url, avatar.url).to_s
+    else
+      GravatarService.new.execute(email)
+    end
+  end
 end
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
 module API
  module Entities
-    class User < Grape::Entity
-      expose :id, :username, :email, :name, :bio, :skype, :linkedin, :twitter, :website_url,
-             :theme_id, :color_scheme_id, :state, :created_at, :extern_uid, :provider
-      expose :is_admin?, as: :is_admin
-      expose :can_create_group?, as: :can_create_group
-      expose :can_create_project?, as: :can_create_project
-
-      expose :avatar_url do |user, options|
-        if user.avatar.present?
-          user.avatar.url
-        end
+    class UserSafe < Grape::Entity
+      expose :name, :username
    end
+
+    class UserBasic < UserSafe
+      expose :id, :state, :avatar_url
    end
  
-    class UserSafe < Grape::Entity
-      expose :name, :username
+    class User < UserBasic
+      expose :created_at
+      expose :is_admin?, as: :is_admin
+      expose :bio, :skype, :linkedin, :twitter, :website_url
    end
  
-    class UserBasic < Grape::Entity
-      expose :id, :username, :email, :name, :state, :created_at
+    class UserFull < User
+      expose :email
+      expose :theme_id, :color_scheme_id, :extern_uid, :provider
+      expose :can_create_group?, as: :can_create_group
+      expose :can_create_project?, as: :can_create_project
    end
  
-    class UserLogin < User
+    class UserLogin < UserFull
      expose :private_token
    end
  

--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -59,4 +59,3 @@ module API
    end
  end
 end
-
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -209,7 +209,7 @@ module API
        @users = User.where(id: user_project.team.users.map(&:id))
        @users = @users.search(params[:search]) if params[:search].present?
        @users = paginate @users
-        present @users, with: Entities::User
+        present @users, with: Entities::UserBasic
      end
  
      # Get a project labels

--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -13,7 +13,12 @@ module API
        @users = @users.active if params[:active].present?
        @users = @users.search(params[:search]) if params[:search].present?
        @users = paginate @users
-        present @users, with: Entities::User
+
+        if current_user.is_admin?
+          present @users, with: Entities::UserFull
+        else
+          present @users, with: Entities::UserBasic
+        end
      end
  
      # Get a single user
@@ -24,7 +29,12 @@ module API
      #   GET /users/:id
      get ":id" do
        @user = User.find(params[:id])
-        present @user, with: Entities::User
+
+        if current_user.is_admin?
+          present @user, with: Entities::UserFull
+        else
+          present @user, with: Entities::UserBasic
+        end
      end
  
      # Create user. Available only for admin
@@ -53,7 +63,7 @@ module API
        admin = attrs.delete(:admin)
        user.admin = admin unless admin.nil?
        if user.save
-          present user, with: Entities::User
+          present user, with: Entities::UserFull
        else
          not_found!
        end
@@ -87,7 +97,7 @@ module API
        admin = attrs.delete(:admin)
        user.admin = admin unless admin.nil?
        if user.update_attributes(attrs, as: :admin)
-          present user, with: Entities::User
+          present user, with: Entities::UserFull
        else
          not_found!
        end

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -20,7 +20,7 @@ describe API::API, api: true  do
        get api("/users", user)
        response.status.should == 200
        json_response.should be_an Array
-        json_response.first['email'].should == user.email
+        json_response.first['username'].should == user.username
      end
    end
  end
@@ -29,7 +29,7 @@ describe API::API, api: true  do
    it "should return a user by id" do
      get api("/users/#{user.id}", user)
      response.status.should == 200
-      json_response['email'].should == user.email
+      json_response['username'].should == user.username
    end
  
    it "should return a 401 if unauthenticated" do