(3.8.2 proposed fix) Fix update and get user v4 endpoints to sanitize properly

api4/user.go

@@ -108,7 +108,11 @@ func getUser(c *Context, w http.ResponseWriter, r *http.Request) {
 	if HandleEtag(etag, "Get User", w, r) {
 		return
 	} else {
-		app.SanitizeProfile(user, c.IsSystemAdmin())
+		if c.Session.UserId == user.Id {
+			user.Sanitize(map[string]bool{})
+		} else {
+			app.SanitizeProfile(user, c.IsSystemAdmin())
+		}
 		w.Header().Set(model.HEADER_ETAG_SERVER, etag)
 		w.Write([]byte(user.ToJson()))
 		return

app/user.go

@@ -940,9 +940,7 @@ func UpdateUserAsUser(user *model.User, asAdmin bool) (*model.User, *model.AppEr
 		return nil, err
 	}
 
-	SanitizeProfile(updatedUser, asAdmin)
-
-	sendUpdatedUserEvent(updatedUser)
+	sendUpdatedUserEvent(*updatedUser, asAdmin)
 
 	return updatedUser, nil
 }
@@ -960,14 +958,14 @@ func PatchUser(userId string, patch *model.UserPatch, asAdmin bool) (*model.User
 		return nil, err
 	}
 
-	SanitizeProfile(updatedUser, asAdmin)
-
-	sendUpdatedUserEvent(updatedUser)
+	sendUpdatedUserEvent(*updatedUser, asAdmin)
 
 	return updatedUser, nil
 }
 
-func sendUpdatedUserEvent(user *model.User) {
+func sendUpdatedUserEvent(user model.User, asAdmin bool) {
+	SanitizeProfile(&user, asAdmin)
+
 	omitUsers := make(map[string]bool, 1)
 	omitUsers[user.Id] = true
 	message := model.NewWebSocketEvent(model.WEBSOCKET_EVENT_USER_UPDATED, "", "", "", omitUsers)

store/sql_user_store.go

@@ -192,6 +192,14 @@ func (us SqlUserStore) Update(user *model.User, trustedUpdateData bool) StoreCha
 			} else if count != 1 {
 				result.Err = model.NewLocAppError("SqlUserStore.Update", "store.sql_user.update.app_error", nil, fmt.Sprintf("user_id=%v, count=%v", user.Id, count))
 			} else {
+				user.Password = ""
+				user.AuthData = new(string)
+				*user.AuthData = ""
+				user.MfaSecret = ""
+				oldUser.Password = ""
+				oldUser.AuthData = new(string)
+				*oldUser.AuthData = ""
+				oldUser.MfaSecret = ""
 				result.Data = [2]*model.User{user, oldUser}
 			}
 		}