finn/forgejo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix API leaking Usermail if not logged in (#25097)

Browse source 
The API should only return the real Mail of a User, if the caller is
logged in. The check do to this don't work. This PR fixes this. This not
really a security issue, but can lead to Spam.

---------

Co-authored-by: silverwind <me@silverwind.io>
This commit is contained in:
JakobDev 2023-07-31 03:18:38 +02:00 committed by GitHub
parent 7dc2e50113
commit ea385f5d39
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 24 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

7
models/user/user.go
View file

@ -203,11 +203,16 @@ func UpdateUserTheme(u *User, themeName string) error {
return UpdateUserCols(db.DefaultContext, u, "theme")
}
// GetPlaceholderEmail returns an noreply email
func (u *User) GetPlaceholderEmail() string {
return fmt.Sprintf("%s@%s", u.LowerName, setting.Service.NoReplyAddress)
}
// GetEmail returns an noreply email, if the user has set to keep his
// email address private, otherwise the primary email address.
func (u *User) GetEmail() string {
if u.KeepEmailPrivate {
return fmt.Sprintf("%s@%s", u.LowerName, setting.Service.NoReplyAddress)
return u.GetPlaceholderEmail()
}
return u.Email
}