From 6dc7b4d533a0e37b6430bb91127fe7df0dfe8260 Mon Sep 17 00:00:00 2001 From: DacongDA Date: Mon, 16 Jun 2025 20:09:21 +0800 Subject: [PATCH] feat: get-user API respects org's account item's view rules now (#3882) --- controllers/user.go | 10 ++++- object/user.go | 56 ++++++++++++++++++++++++++ object/user_util.go | 96 ++++++++++++++++++++++++++------------------- 3 files changed, 121 insertions(+), 41 deletions(-) diff --git a/controllers/user.go b/controllers/user.go index 2fd21a95..17581b88 100644 --- a/controllers/user.go +++ b/controllers/user.go @@ -197,8 +197,8 @@ func (c *ApiController) GetUser() { return } + var organization *object.Organization if user != nil { - var organization *object.Organization organization, err = object.GetOrganizationByUser(user) if err != nil { c.ResponseError(err.Error()) @@ -237,6 +237,14 @@ func (c *ApiController) GetUser() { return } + if organization != nil && user != nil { + user, err = object.GetFilteredUser(user, c.IsAdmin(), c.IsAdminOrSelf(user), organization.AccountItems) + if err != nil { + c.ResponseError(err.Error()) + return + } + } + c.ResponseOk(user) } diff --git a/object/user.go b/object/user.go index fdf78c0f..5a908dba 100644 --- a/object/user.go +++ b/object/user.go @@ -661,6 +661,62 @@ func GetMaskedUser(user *User, isAdminOrSelf bool, errs ...error) (*User, error) return user, nil } +func GetFilteredUser(user *User, isAdmin bool, isAdminOrSelf bool, accountItems []*AccountItem) (*User, error) { + if accountItems == nil || len(accountItems) == 0 { + return user, nil + } + + userFieldMap := map[string]int{} + + reflectedUserField := reflect.TypeOf(User{}) + for i := 0; i < reflectedUserField.NumField(); i++ { + userFieldMap[strings.ToLower(reflectedUserField.Field(i).Name)] = i + } + + reflectedUser := reflect.ValueOf(user).Elem() + + for _, accountItem := range accountItems { + if accountItem.ViewRule == "Public" { + continue + } else if accountItem.ViewRule == "Self" && isAdminOrSelf { + continue + } else if accountItem.ViewRule == "Admin" && isAdmin { + continue + } + + lowerCaseAccountItemName := strings.ToLower(accountItem.Name) + lowerCaseAccountItemName = strings.ReplaceAll(lowerCaseAccountItemName, " ", "") + + switch accountItem.Name { + case "Multi-factor authentication": + lowerCaseAccountItemName = strings.ToLower("PreferredMfaType") + case "User type": + lowerCaseAccountItemName = "type" + case "Country/Region": + lowerCaseAccountItemName = "region" + case "ID card info": + { + infoKeys := []string{"idCardWithPerson", "idCardFront", "idCardWithPerson"} + for _, infoKey := range infoKeys { + if _, ok := user.Properties[infoKey]; ok { + user.Properties[infoKey] = "" + } + } + continue + } + } + + fieldIdx, ok := userFieldMap[lowerCaseAccountItemName] + if !ok { + continue + } + + reflectedUser.Field(fieldIdx).SetZero() + } + + return user, nil +} + func GetMaskedUsers(users []*User, errs ...error) ([]*User, error) { if len(errs) > 0 && errs[0] != nil { return nil, errs[0] diff --git a/object/user_util.go b/object/user_util.go index 1a8a03ec..019ba7be 100644 --- a/object/user_util.go +++ b/object/user_util.go @@ -263,6 +263,18 @@ func ClearUserOAuthProperties(user *User, providerType string) (bool, error) { return affected != 0, nil } +func userVisible(isAdmin bool, item *AccountItem) bool { + if item == nil { + return false + } + + if item.ViewRule == "Admin" && !isAdmin { + return false + } + + return true +} + func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDisplayNameEmpty bool, lang string) (bool, string) { organization, err := GetOrganizationByUser(oldUser) if err != nil { @@ -273,7 +285,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.Owner != newUser.Owner { item := GetAccountItemByName("Organization", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Owner = oldUser.Owner } else { itemsChanged = append(itemsChanged, item) @@ -281,7 +293,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.Name != newUser.Name { item := GetAccountItemByName("Name", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Name = oldUser.Name } else { itemsChanged = append(itemsChanged, item) @@ -289,7 +301,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.Id != newUser.Id { item := GetAccountItemByName("ID", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Id = oldUser.Id } else { itemsChanged = append(itemsChanged, item) @@ -297,7 +309,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.DisplayName != newUser.DisplayName { item := GetAccountItemByName("Display name", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.DisplayName = oldUser.DisplayName } else { if !allowDisplayNameEmpty && newUser.DisplayName == "" { @@ -309,7 +321,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.Avatar != newUser.Avatar { item := GetAccountItemByName("Avatar", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Avatar = oldUser.Avatar } else { itemsChanged = append(itemsChanged, item) @@ -317,7 +329,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.Type != newUser.Type { item := GetAccountItemByName("User type", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Type = oldUser.Type } else { itemsChanged = append(itemsChanged, item) @@ -326,7 +338,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis // The password is *** when not modified if oldUser.Password != newUser.Password && newUser.Password != "***" { item := GetAccountItemByName("Password", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Password = oldUser.Password } else { itemsChanged = append(itemsChanged, item) @@ -334,7 +346,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.Email != newUser.Email { item := GetAccountItemByName("Email", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Email = oldUser.Email } else { itemsChanged = append(itemsChanged, item) @@ -342,7 +354,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.Phone != newUser.Phone { item := GetAccountItemByName("Phone", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Phone = oldUser.Phone } else { itemsChanged = append(itemsChanged, item) @@ -350,7 +362,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.CountryCode != newUser.CountryCode { item := GetAccountItemByName("Country code", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.CountryCode = oldUser.CountryCode } else { itemsChanged = append(itemsChanged, item) @@ -358,7 +370,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.Region != newUser.Region { item := GetAccountItemByName("Country/Region", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Region = oldUser.Region } else { itemsChanged = append(itemsChanged, item) @@ -366,7 +378,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.Location != newUser.Location { item := GetAccountItemByName("Location", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Location = oldUser.Location } else { itemsChanged = append(itemsChanged, item) @@ -374,7 +386,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.Affiliation != newUser.Affiliation { item := GetAccountItemByName("Affiliation", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Affiliation = oldUser.Affiliation } else { itemsChanged = append(itemsChanged, item) @@ -382,7 +394,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.Title != newUser.Title { item := GetAccountItemByName("Title", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Title = oldUser.Title } else { itemsChanged = append(itemsChanged, item) @@ -390,7 +402,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.Homepage != newUser.Homepage { item := GetAccountItemByName("Homepage", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Homepage = oldUser.Homepage } else { itemsChanged = append(itemsChanged, item) @@ -398,7 +410,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.Bio != newUser.Bio { item := GetAccountItemByName("Bio", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Bio = oldUser.Bio } else { itemsChanged = append(itemsChanged, item) @@ -406,7 +418,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.Tag != newUser.Tag { item := GetAccountItemByName("Tag", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Tag = oldUser.Tag } else { itemsChanged = append(itemsChanged, item) @@ -414,7 +426,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.SignupApplication != newUser.SignupApplication { item := GetAccountItemByName("Signup application", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.SignupApplication = oldUser.SignupApplication } else { itemsChanged = append(itemsChanged, item) @@ -423,7 +435,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.Gender != newUser.Gender { item := GetAccountItemByName("Gender", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Gender = oldUser.Gender } else { itemsChanged = append(itemsChanged, item) @@ -432,7 +444,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.Birthday != newUser.Birthday { item := GetAccountItemByName("Birthday", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Birthday = oldUser.Birthday } else { itemsChanged = append(itemsChanged, item) @@ -441,7 +453,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.Education != newUser.Education { item := GetAccountItemByName("Education", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Education = oldUser.Education } else { itemsChanged = append(itemsChanged, item) @@ -450,7 +462,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.IdCard != newUser.IdCard { item := GetAccountItemByName("ID card", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.IdCard = oldUser.IdCard } else { itemsChanged = append(itemsChanged, item) @@ -459,7 +471,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.IdCardType != newUser.IdCardType { item := GetAccountItemByName("ID card type", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.IdCardType = oldUser.IdCardType } else { itemsChanged = append(itemsChanged, item) @@ -467,10 +479,13 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } oldUserPropertiesJson, _ := json.Marshal(oldUser.Properties) + if newUser.Properties == nil { + newUser.Properties = make(map[string]string) + } newUserPropertiesJson, _ := json.Marshal(newUser.Properties) if string(oldUserPropertiesJson) != string(newUserPropertiesJson) { item := GetAccountItemByName("Properties", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Properties = oldUser.Properties } else { itemsChanged = append(itemsChanged, item) @@ -479,7 +494,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.PreferredMfaType != newUser.PreferredMfaType { item := GetAccountItemByName("Multi-factor authentication", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.PreferredMfaType = oldUser.PreferredMfaType } else { itemsChanged = append(itemsChanged, item) @@ -490,13 +505,14 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis oldUser.Groups = []string{} } oldUserGroupsJson, _ := json.Marshal(oldUser.Groups) + if newUser.Groups == nil { newUser.Groups = []string{} } newUserGroupsJson, _ := json.Marshal(newUser.Groups) if string(oldUserGroupsJson) != string(newUserGroupsJson) { item := GetAccountItemByName("Groups", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Groups = oldUser.Groups } else { itemsChanged = append(itemsChanged, item) @@ -514,7 +530,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis newUserAddressJson, _ := json.Marshal(newUser.Address) if string(oldUserAddressJson) != string(newUserAddressJson) { item := GetAccountItemByName("Address", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Address = oldUser.Address } else { itemsChanged = append(itemsChanged, item) @@ -523,7 +539,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if newUser.FaceIds != nil { item := GetAccountItemByName("Face ID", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.FaceIds = oldUser.FaceIds } else { itemsChanged = append(itemsChanged, item) @@ -532,7 +548,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.IsAdmin != newUser.IsAdmin { item := GetAccountItemByName("Is admin", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.IsAdmin = oldUser.IsAdmin } else { itemsChanged = append(itemsChanged, item) @@ -541,7 +557,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.IsForbidden != newUser.IsForbidden { item := GetAccountItemByName("Is forbidden", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.IsForbidden = oldUser.IsForbidden } else { itemsChanged = append(itemsChanged, item) @@ -549,7 +565,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.IsDeleted != newUser.IsDeleted { item := GetAccountItemByName("Is deleted", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.IsDeleted = oldUser.IsDeleted } else { itemsChanged = append(itemsChanged, item) @@ -557,7 +573,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.NeedUpdatePassword != newUser.NeedUpdatePassword { item := GetAccountItemByName("Need update password", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.NeedUpdatePassword = oldUser.NeedUpdatePassword } else { itemsChanged = append(itemsChanged, item) @@ -565,7 +581,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis } if oldUser.IpWhitelist != newUser.IpWhitelist { item := GetAccountItemByName("IP whitelist", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.IpWhitelist = oldUser.IpWhitelist } else { itemsChanged = append(itemsChanged, item) @@ -574,7 +590,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.Balance != newUser.Balance { item := GetAccountItemByName("Balance", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Balance = oldUser.Balance } else { itemsChanged = append(itemsChanged, item) @@ -583,7 +599,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.Score != newUser.Score { item := GetAccountItemByName("Score", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Score = oldUser.Score } else { itemsChanged = append(itemsChanged, item) @@ -592,7 +608,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.Karma != newUser.Karma { item := GetAccountItemByName("Karma", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Karma = oldUser.Karma } else { itemsChanged = append(itemsChanged, item) @@ -601,7 +617,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.Language != newUser.Language { item := GetAccountItemByName("Language", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Language = oldUser.Language } else { itemsChanged = append(itemsChanged, item) @@ -610,7 +626,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.Ranking != newUser.Ranking { item := GetAccountItemByName("Ranking", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Ranking = oldUser.Ranking } else { itemsChanged = append(itemsChanged, item) @@ -619,7 +635,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.Currency != newUser.Currency { item := GetAccountItemByName("Currency", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Currency = oldUser.Currency } else { itemsChanged = append(itemsChanged, item) @@ -628,7 +644,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis if oldUser.Hash != newUser.Hash { item := GetAccountItemByName("Hash", organization) - if item == nil { + if !userVisible(isAdmin, item) { newUser.Hash = oldUser.Hash } else { itemsChanged = append(itemsChanged, item)