[BREAK] Always remove the field services from user data responses (#10799)

MarcosSpessatto · rodrigok · commit c53fa4dba94e · 2018-06-20T18:55:50.000-03:00
[BREAK] Always remove the field `services` from user data responses in REST API
diff --git a/packages/rocketchat-api/server/api.js b/packages/rocketchat-api/server/api.js
@@ -31,6 +31,9 @@ class API extends Restivus {
 			customFields: 0,
 			settings: 0
 		};
+		this.limitedUserFieldsToExcludeIfIsPrivilegedUser = {
+			services: 0
+		};
 
 		this._config.defaultOptionsEndpoint = function _defaultOptionsEndpoint() {
 			if (this.request.method === 'OPTIONS' && this.request.headers['access-control-request-method']) {
diff --git a/packages/rocketchat-api/server/helpers/parseJsonQuery.js b/packages/rocketchat-api/server/helpers/parseJsonQuery.js
@@ -22,8 +22,9 @@ RocketChat.API.helperMethods.set('parseJsonQuery', function _parseJsonQuery() {
 	// Verify the user's selected fields only contains ones which their role allows
 	if (typeof fields === 'object') {
 		let nonSelectableFields = Object.keys(RocketChat.API.v1.defaultFieldsToExclude);
-		if (!RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') && this.request.route.includes('/v1/users.')) {
-			nonSelectableFields = nonSelectableFields.concat(Object.keys(RocketChat.API.v1.limitedUserFieldsToExclude));
+		if (this.request.route.includes('/v1/users.')) {
+			const getFields = () => Object.keys(RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') ? RocketChat.API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser : RocketChat.API.v1.limitedUserFieldsToExclude);
+			nonSelectableFields = nonSelectableFields.concat(getFields());
 		}
 
 		Object.keys(fields).forEach((k) => {
@@ -35,8 +36,12 @@ RocketChat.API.helperMethods.set('parseJsonQuery', function _parseJsonQuery() {
 
 	// Limit the fields by default
 	fields = Object.assign({}, fields, RocketChat.API.v1.defaultFieldsToExclude);
-	if (!RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') && this.request.route.includes('/v1/users.')) {
-		fields = Object.assign(fields, RocketChat.API.v1.limitedUserFieldsToExclude);
+	if (this.request.route.includes('/v1/users.')) {
+		if (RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info')) {
+			fields = Object.assign(fields, RocketChat.API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser);
+		} else {
+			fields = Object.assign(fields, RocketChat.API.v1.limitedUserFieldsToExclude);
+		}
 	}
 
 	let query;
@@ -51,13 +56,17 @@ RocketChat.API.helperMethods.set('parseJsonQuery', function _parseJsonQuery() {
 
 	// Verify the user has permission to query the fields they are
 	if (typeof query === 'object') {
-		let nonQuerableFields = Object.keys(RocketChat.API.v1.defaultFieldsToExclude);
-		if (!RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info') && this.request.route.includes('/v1/users.')) {
-			nonQuerableFields = nonQuerableFields.concat(Object.keys(RocketChat.API.v1.limitedUserFieldsToExclude));
+		let nonQueryableFields = Object.keys(RocketChat.API.v1.defaultFieldsToExclude);
+		if (this.request.route.includes('/v1/users.')) {
+			if (RocketChat.authz.hasPermission(this.userId, 'view-full-other-user-info')) {
+				nonQueryableFields = nonQueryableFields.concat(Object.keys(RocketChat.API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser));
+			} else {
+				nonQueryableFields = nonQueryableFields.concat(Object.keys(RocketChat.API.v1.limitedUserFieldsToExclude));
+			}
 		}
 
 		Object.keys(query).forEach((k) => {
-			if (nonQuerableFields.includes(k) || nonQuerableFields.includes(k.split(RocketChat.API.v1.fieldSeparator)[0])) {
+			if (nonQueryableFields.includes(k) || nonQueryableFields.includes(k.split(RocketChat.API.v1.fieldSeparator)[0])) {
 				delete query[k];
 			}
 		});
