[BREAK] Always remove the field `services` from user data responses (#10799)

[BREAK] Always remove the field `services` from user data responses in REST API
8 years ago · c53fa4dba9
parent 6cfc53ff57
commit c53fa4dba9
2 changed files with 20 additions and 8 deletions
--- a/packages/rocketchat-api/server/api.js
+++ b/packages/rocketchat-api/server/api.js
@ -31,6 +31,9 @@ class API extends Restivus {
 			customFields: 0,
 			settings: 0
 		};
+		this.limitedUserFieldsToExcludeIfIsPrivilegedUser = {
+			services: 0
+		};

 		this._config.defaultOptionsEndpoint = function _defaultOptionsEndpoint() {
 			if (this.request.method === 'OPTIONS' && this.request.headers['access-control-request-method']) {
--- a/packages/rocketchat-api/server/helpers/parseJsonQuery.js
+++ b/packages/rocketchat-api/server/helpers/parseJsonQuery.js
@ -22,8 +22,9 @@ RocketChat.API.helperMethods.set('parseJsonQuery', function _parseJsonQuery() {
 	// Verify the user's selected fields only contains ones which their role allows
 	if (typeof fields === 'object') {
 		let nonSelectableFields = Object.keys(RocketChat.API.v1.defaultFieldsToExclude);
-		if (!RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') && this.request.route.includes('/v1/users.')) {
-			nonSelectableFields = nonSelectableFields.concat(Object.keys(RocketChat.API.v1.limitedUserFieldsToExclude));
+		if (this.request.route.includes('/v1/users.')) {
+			const getFields = () => Object.keys(RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') ? RocketChat.API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser : RocketChat.API.v1.limitedUserFieldsToExclude);
+			nonSelectableFields = nonSelectableFields.concat(getFields());
 		}

 		Object.keys(fields).forEach((k) => {
@ -35,8 +36,12 @@ RocketChat.API.helperMethods.set('parseJsonQuery', function _parseJsonQuery() {

 	// Limit the fields by default
 	fields = Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude);
-	if (!RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') && this.request.route.includes('/v1/users.')) {
-		fields = Object.assign(fields, RocketChat.API.v1.limitedUserFieldsToExclude);
+	if (this.request.route.includes('/v1/users.')) {
+		if (RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info')) {
+			fields = Object.assign(fields, RocketChat.API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser);
+		} else {
+			fields = Object.assign(fields, RocketChat.API.v1.limitedUserFieldsToExclude);
+		}
 	}

 	let query;
@ -51,13 +56,17 @@ RocketChat.API.helperMethods.set('parseJsonQuery', function _parseJsonQuery() {

 	// Verify the user has permission to query the fields they are
 	if (typeof query === 'object') {
-		let nonQuerableFields = Object.keys(RocketChat.API.v1.defaultFieldsToExclude);
-		if (!RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') && this.request.route.includes('/v1/users.')) {
-			nonQuerableFields = nonQuerableFields.concat(Object.keys(RocketChat.API.v1.limitedUserFieldsToExclude));
+		let nonQueryableFields = Object.keys(RocketChat.API.v1.defaultFieldsToExclude);
+		if (this.request.route.includes('/v1/users.')) {
+			if (RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info')) {
+				nonQueryableFields = nonQueryableFields.concat(Object.keys(RocketChat.API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser));
+			} else {
+				nonQueryableFields = nonQueryableFields.concat(Object.keys(RocketChat.API.v1.limitedUserFieldsToExclude));
+			}
 		}

 		Object.keys(query).forEach((k) => {
-			if (nonQuerableFields.includes(k) || nonQuerableFields.includes(k.split(RocketChat.API.v1.fieldSeparator)[0])) {
+			if (nonQueryableFields.includes(k) || nonQueryableFields.includes(k.split(RocketChat.API.v1.fieldSeparator)[0])) {
 				delete query[k];
 			}
 		});