1
1
mirror of https://github.com/go-gitea/gitea synced 2025-01-10 17:54:27 +00:00
zeripath af96286f22
Stop sanitizing full name in API (#17396)
The API convert.toUser function makes the incorrect assumption that full names could
be rendered as is without being escaped. It therefore runs the names through
markup.Sanitize which leads to a double escape of user full names. This
pr stops this.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-10-22 15:17:35 +08:00

97 lines
2.8 KiB
Go

// Copyright 2020 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package convert
import (
"code.gitea.io/gitea/models"
api "code.gitea.io/gitea/modules/structs"
)
// ToUser convert models.User to api.User
// if doer is set, private information is added if the doer has the permission to see it
func ToUser(user, doer *models.User) *api.User {
if user == nil {
return nil
}
authed := false
signed := false
if doer != nil {
signed = true
authed = doer.ID == user.ID || doer.IsAdmin
}
return toUser(user, signed, authed)
}
// ToUsers convert list of models.User to list of api.User
func ToUsers(doer *models.User, users []*models.User) []*api.User {
result := make([]*api.User, len(users))
for i := range users {
result[i] = ToUser(users[i], doer)
}
return result
}
// ToUserWithAccessMode convert models.User to api.User
// AccessMode is not none show add some more information
func ToUserWithAccessMode(user *models.User, accessMode models.AccessMode) *api.User {
if user == nil {
return nil
}
return toUser(user, accessMode != models.AccessModeNone, false)
}
// toUser convert models.User to api.User
// signed shall only be set if requester is logged in. authed shall only be set if user is site admin or user himself
func toUser(user *models.User, signed, authed bool) *api.User {
result := &api.User{
ID: user.ID,
UserName: user.Name,
FullName: user.FullName,
Email: user.GetEmail(),
AvatarURL: user.AvatarLink(),
Created: user.CreatedUnix.AsTime(),
Restricted: user.IsRestricted,
Location: user.Location,
Website: user.Website,
Description: user.Description,
// counter's
Followers: user.NumFollowers,
Following: user.NumFollowing,
StarredRepos: user.NumStars,
}
result.Visibility = user.Visibility.String()
// hide primary email if API caller is anonymous or user keep email private
if signed && (!user.KeepEmailPrivate || authed) {
result.Email = user.Email
}
// only site admin will get these information and possibly user himself
if authed {
result.IsAdmin = user.IsAdmin
result.LastLogin = user.LastLoginUnix.AsTime()
result.Language = user.Language
result.IsActive = user.IsActive
result.ProhibitLogin = user.ProhibitLogin
}
return result
}
// User2UserSettings return UserSettings based on a user
func User2UserSettings(user *models.User) api.UserSettings {
return api.UserSettings{
FullName: user.FullName,
Website: user.Website,
Location: user.Location,
Language: user.Language,
Description: user.Description,
Theme: user.Theme,
HideEmail: user.KeepEmailPrivate,
HideActivity: user.KeepActivityPrivate,
DiffViewStyle: user.DiffViewStyle,
}
}