Gitea: API: UserID is missing sometimes

Created on 15 Sep 2020  路  11Comments  路  Source: go-gitea/gitea

sometimes UserID is missing!!

https://gitea.com/api/swagger#/repository/repoListPullReviews

example:

GET https://gitea.com/api/v1/repos/gitea/test_repo/pulls/7/reviews -> techknowlogick has ID 0 !!

kinapi kinbug
Source
picture 6543

All 11 comments

It's not a bug :)
https://github.com/go-gitea/gitea/blob/08a905f614debd6481d7bda2913c596575e9a260/modules/convert/convert.go#L347-L354

a1012112796 picture a1012112796 on 15 Sep 2020

other endpoint's return it and it is needed for migration - inconsistency is a bug

6543 picture 6543 on 15 Sep 2020

I already know where the issue is - we have 2 differend function to convert a user into an api-user -> bad thing!!!

but didn't had time to refactor all of it

6543 picture 6543 on 15 Sep 2020

@a1012112796 just use https://gitea.com/api/swagger#/repository/repoListPullRequests and you have the ID (9)

6543 picture 6543 on 15 Sep 2020

Hmm, Maybe the id of user is not an secret message.

a1012112796 picture a1012112796 on 15 Sep 2020

found it :)
https://github.com/go-gitea/gitea/blob/08a905f614debd6481d7bda2913c596575e9a260/models/user.go#L241-L257

a1012112796 picture a1012112796 on 15 Sep 2020
👍1

So the main problem is whether the id of user should be protected?

a1012112796 picture a1012112796 on 15 Sep 2020
👀1

Chage Idea:

diff --git a/models/user.go b/models/user.go
index c7b3f0981..08237b2cb 100644
--- a/models/user.go
+++ b/models/user.go
@@ -239,21 +239,34 @@ func (u *User) GetEmail() string {
 }

 // APIFormat converts a User to api.User
-func (u *User) APIFormat() *api.User {
+func (u *User) APIFormat(doer *User) *api.User {
    if u == nil {
        return nil
    }
-   return &api.User{
-       ID:        u.ID,
+
+   result := &api.User{
        UserName:  u.Name,
        FullName:  u.FullName,
-       Email:     u.GetEmail(),
        AvatarURL: u.AvatarLink(),
        Language:  u.Language,
-       IsAdmin:   u.IsAdmin,
-       LastLogin: u.LastLoginUnix.AsTime(),
        Created:   u.CreatedUnix.AsTime(),
    }
+
+   signed := doer != nil
+   authed := doer != nil && (doer.IsAdmin || u.ID == doer.ID)
+
+   // hide primary email if API caller is anonymous or user keep email private
+   if signed && (!u.KeepEmailPrivate || authed) {
+       result.Email = u.Email
+   }
+   // only site admin will get these information and possibly user himself
+   if authed {
+       result.ID = u.ID
+       result.IsAdmin = u.IsAdmin
+       result.LastLogin = u.LastLoginUnix.AsTime()
+       result.Language = u.Language
+   }
+   return result
 }

 // IsLocal returns true if user login type is LoginPlain.

Then will face a big work :(
tmp

a1012112796 picture a1012112796 on 15 Sep 2020

there are more .APIFormat() but only around 64 for user :D
and yes it has to be refactored to use convert package

6543 picture 6543 on 15 Sep 2020

@a1012112796 I have created #12855 to fix this issue

and #12856 witch wont get into v1.13 who will remove APIFormat ...

6543 picture 6543 on 15 Sep 2020

@a1012112796 the refactor for User -> API-User convert refactor is ready :)

-> #12856

6543 picture 6543 on 27 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cookiengineer picture cookiengineer  路  3Comments
BNolet picture BNolet  路  3Comments
thehowl picture thehowl  路  3Comments
kifirkin picture kifirkin  路  3Comments
mirhec picture mirhec  路  3Comments