From 27cf5d39c09d9efaaf24e353309044759cacd047 Mon Sep 17 00:00:00 2001 From: Adam Coldrick Date: Mon, 18 Jul 2016 14:00:26 +0000 Subject: [PATCH] Filter non-public fields when returning users in a Team Users have some private information, including email addresses, which we should not share. This patch fixes a bug whereby doing `GET /v1/teams/:id/users` or `PUT /v1/teams/:id/users/:user_id` includes the private data in the response. Change-Id: If9d3ad80116cd2091c396afab9310fa1962401fc --- storyboard/api/v1/teams.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/storyboard/api/v1/teams.py b/storyboard/api/v1/teams.py index 362a0919..d105306c 100644 --- a/storyboard/api/v1/teams.py +++ b/storyboard/api/v1/teams.py @@ -27,6 +27,7 @@ from storyboard.api.v1 import validations from storyboard.api.v1 import wmodels from storyboard.common import decorators from storyboard.common import exception as exc +from storyboard.db.api import base as api_base from storyboard.db.api import teams as teams_api from storyboard.db.api import users as users_api from storyboard.openstack.common.gettextutils import _ # noqas @@ -51,7 +52,9 @@ class UsersSubcontroller(rest.RestController): if not team: raise exc.NotFound(_("Team %s not found") % team_id) - return [wmodels.User.from_db_model(user) for user in team.users] + users = [api_base._filter_non_public_fields(user, user._public_fields) + for user in team.users] + return [wmodels.User.from_db_model(user) for user in users] @decorators.db_exceptions @secure(checks.superuser) @@ -65,6 +68,7 @@ class UsersSubcontroller(rest.RestController): teams_api.team_add_user(team_id, user_id) user = users_api.user_get(user_id) + user = api_base._filter_non_public_fields(user, user._public_fields) return wmodels.User.from_db_model(user)