From 1ae6adff8ee8d2a5362c828ecffb4c848ce5e757 Mon Sep 17 00:00:00 2001
From: fengxsong <fengxsong@outlook.com>
Date: Fri, 3 Mar 2023 18:18:41 +0800
Subject: [PATCH] fix(secure): remove user list from roles and permissions
 field to avoid leaking userlist (#1614)

* fix(secure): remove user list from roles and permissions field to avoid leaking userlist

Signed-off-by: fengxsong <fengxsong@outlook.com>

* Update permission.go

* Update role.go

---------

Signed-off-by: fengxsong <fengxsong@outlook.com>
Co-authored-by: hsluoyz <hsluoyz@qq.com>
---
 object/permission.go | 4 ++++
 object/role.go       | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/object/permission.go b/object/permission.go
index b5a47c3e..2200f307 100644
--- a/object/permission.go
+++ b/object/permission.go
@@ -245,6 +245,10 @@ func GetPermissionsByUser(userId string) []*Permission {
 		panic(err)
 	}
 
+	for i := range permissions {
+		permissions[i].Users = nil
+	}
+
 	return permissions
 }
 
diff --git a/object/role.go b/object/role.go
index 01663ce5..1e477047 100644
--- a/object/role.go
+++ b/object/role.go
@@ -159,6 +159,10 @@ func GetRolesByUser(userId string) []*Role {
 		panic(err)
 	}
 
+	for i := range roles {
+		roles[i].Users = nil
+	}
+
 	return roles
 }