From ae564c97d48bf728745c57720734cb40378fd90f Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Fri, 13 Jun 2014 17:46:48 +0300 Subject: Dont expose user email via API To prevent leaking of users info we reduce amount of user information retrieved via API for normal users. What user can get via API: * if not admin: only id, state, name, username and avatar_url * if admin: all user information * about himself: all informaion Signed-off-by: Dmitriy Zaporozhets --- lib/api/entities.rb | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) (limited to 'lib/api/entities.rb') diff --git a/lib/api/entities.rb b/lib/api/entities.rb index f15fe185ae0..b190646a1e3 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -1,28 +1,27 @@ module API module Entities - class User < Grape::Entity - expose :id, :username, :email, :name, :bio, :skype, :linkedin, :twitter, :website_url, - :theme_id, :color_scheme_id, :state, :created_at, :extern_uid, :provider - expose :is_admin?, as: :is_admin - expose :can_create_group?, as: :can_create_group - expose :can_create_project?, as: :can_create_project + class UserSafe < Grape::Entity + expose :name, :username + end - expose :avatar_url do |user, options| - if user.avatar.present? - user.avatar.url - end - end + class UserBasic < UserSafe + expose :id, :state, :avatar_url end - class UserSafe < Grape::Entity - expose :name, :username + class User < UserBasic + expose :created_at + expose :is_admin?, as: :is_admin + expose :bio, :skype, :linkedin, :twitter, :website_url end - class UserBasic < Grape::Entity - expose :id, :username, :email, :name, :state, :created_at + class UserFull < User + expose :email + expose :theme_id, :color_scheme_id, :extern_uid, :provider + expose :can_create_group?, as: :can_create_group + expose :can_create_project?, as: :can_create_project end - class UserLogin < User + class UserLogin < UserFull expose :private_token end -- cgit v1.2.1