Merge pull request #1500 from siemens/fix/rest/show-users-admin

fix(rest): Hide sensitive user info reviewed by : anupam.ghosh@siemens.com tested by : anupam.ghosh@siemens.com
fossology · Dec 23, 2019 · 19f2d87 · 19f2d87
2 parents 6d00529 + 50558dc
commit 19f2d87
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 15 deletions.
diff --git a/src/www/ui/api/Helper/DbHelper.php b/src/www/ui/api/Helper/DbHelper.php
@@ -34,6 +34,7 @@
 use Fossology\UI\Api\Models\InfoType;
 use Fossology\UI\Api\Models\Info;
 use Fossology\Lib\Db\DbManager;
+use Fossology\Lib\Auth\Auth;
 
 /**
  * @class DbHelper
@@ -176,12 +177,22 @@ public function getUsers($id = null)
     if ($id === null) {
       $result = $result = $this->dbManager->getRows($usersSQL, [], $statement);
     } else {
-      $result = $result = $this->dbManager->getRows($usersSQL, [$id], $statement);
+      $result = $result = $this->dbManager->getRows($usersSQL, [$id],
+        $statement);
     }
+    $currentUser = Auth::getUserId();
+    $userIsAdmin = Auth::isAdmin();
     foreach ($result as $row) {
-      $user = new User($row["user_pk"], $row["user_name"], $row["user_desc"],
-        $row["user_email"], $row["user_perm"], $row["root_folder_fk"],
-        $row["email_notify"], $row["user_agent_list"]);
+      $user = null;
+      if ($userIsAdmin ||
+        ($row["user_pk"] == $currentUser)) {
+        $user = new User($row["user_pk"], $row["user_name"], $row["user_desc"],
+          $row["user_email"], $row["user_perm"], $row["root_folder_fk"],
+          $row["email_notify"], $row["user_agent_list"]);
+      } else {
+        $user = new User($row["user_pk"], $row["user_name"], $row["user_desc"],
+          null, null, null, null, null);
+      }
       $users[] = $user->getArray();
     }
 

diff --git a/src/www/ui/api/Models/User.php b/src/www/ui/api/Models/User.php
@@ -193,15 +193,23 @@ public function getJSON()
    */
   public function getArray()
   {
-    return [
-      "id"       => $this->id,
-      "name"         => $this->name,
-      "description"  => $this->description,
-      "email"        => $this->email,
-      "accessLevel"  => $this->accessLevel,
-      "rootFolderId" => $this->rootFolderId,
-      "emailNotification" => $this->emailNotification,
-      "agents"       => $this->analysis->getArray()
-    ];
+    $returnUser = array();
+    $returnUser["id"] = $this->id;
+    $returnUser["name"] = $this->name;
+    $returnUser["description"] = $this->description;
+    if ($this->email !== null) {
+      $returnUser["email"] = $this->email;
+      $returnUser["accessLevel"] = $this->accessLevel;
+    }
+    if ($this->rootFolderId !== null && $this->rootFolderId != 0) {
+      $returnUser["rootFolderId"] = $this->rootFolderId;
+    }
+    if ($this->emailNotification !== null) {
+      $returnUser["emailNotification"] = $this->emailNotification;
+    }
+    if ($this->agents !== null) {
+      $returnUser["agents"] = $this->analysis->getArray();
+    }
+    return $returnUser;
   }
 }
diff --git a/src/www/ui/api/documentation/openapi.yaml b/src/www/ui/api/documentation/openapi.yaml
@@ -14,7 +14,7 @@ openapi: 3.0.2
 info:
   title: FOSSology API
   description: Automate your fossology instance using REST API
-  version: 1.0.6
+  version: 1.0.7
   contact:
     email: fossology@fossology.org
   license:
@@ -893,6 +893,10 @@ components:
           description: enable email notification when upload scan completes
         agents:
           $ref: '#/components/schemas/Analysis'
+      required:
+        - id
+        - name
+        - description
     Analysis:
       type: object
       properties: