forgejo/modules/convert/user.go
zeripath af96286f22
Stop sanitizing full name in API ()
The API convert.toUser function makes the incorrect assumption that full names could
be rendered as is without being escaped. It therefore runs the names through
markup.Sanitize which leads to a double escape of user full names. This
pr stops this.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-10-22 15:17:35 +08:00

96 lines
2.8 KiB
Go

// Copyright 2020 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package convert
import (
"code.gitea.io/gitea/models"
api "code.gitea.io/gitea/modules/structs"
)
// ToUser convert models.User to api.User
// if doer is set, private information is added if the doer has the permission to see it
func ToUser(user, doer *models.User) *api.User {
if user == nil {
return nil
}
authed := false
signed := false
if doer != nil {
signed = true
authed = doer.ID == user.ID || doer.IsAdmin
}
return toUser(user, signed, authed)
}
// ToUsers convert list of models.User to list of api.User
func ToUsers(doer *models.User, users []*models.User) []*api.User {
result := make([]*api.User, len(users))
for i := range users {
result[i] = ToUser(users[i], doer)
}
return result
}
// ToUserWithAccessMode convert models.User to api.User
// AccessMode is not none show add some more information
func ToUserWithAccessMode(user *models.User, accessMode models.AccessMode) *api.User {
if user == nil {
return nil
}
return toUser(user, accessMode != models.AccessModeNone, false)
}
// toUser convert models.User to api.User
// signed shall only be set if requester is logged in. authed shall only be set if user is site admin or user himself
func toUser(user *models.User, signed, authed bool) *api.User {
result := &api.User{
ID: user.ID,
UserName: user.Name,
FullName: user.FullName,
Email: user.GetEmail(),
AvatarURL: user.AvatarLink(),
Created: user.CreatedUnix.AsTime(),
Restricted: user.IsRestricted,
Location: user.Location,
Website: user.Website,
Description: user.Description,
// counter's
Followers: user.NumFollowers,
Following: user.NumFollowing,
StarredRepos: user.NumStars,
}
result.Visibility = user.Visibility.String()
// hide primary email if API caller is anonymous or user keep email private
if signed && (!user.KeepEmailPrivate || authed) {
result.Email = user.Email
}
// only site admin will get these information and possibly user himself
if authed {
result.IsAdmin = user.IsAdmin
result.LastLogin = user.LastLoginUnix.AsTime()
result.Language = user.Language
result.IsActive = user.IsActive
result.ProhibitLogin = user.ProhibitLogin
}
return result
}
// User2UserSettings return UserSettings based on a user
func User2UserSettings(user *models.User) api.UserSettings {
return api.UserSettings{
FullName: user.FullName,
Website: user.Website,
Location: user.Location,
Language: user.Language,
Description: user.Description,
Theme: user.Theme,
HideEmail: user.KeepEmailPrivate,
HideActivity: user.KeepActivityPrivate,
DiffViewStyle: user.DiffViewStyle,
}
}