Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API does not consistently return User properties #14446

Closed
1 of 2 tasks
0x6d61726b opened this issue Jan 24, 2021 · 0 comments · Fixed by #15144
Closed
1 of 2 tasks

API does not consistently return User properties #14446

0x6d61726b opened this issue Jan 24, 2021 · 0 comments · Fixed by #15144
Labels
modifies/api This PR adds API routes or modifies them

Comments

@0x6d61726b
Copy link

  • Gitea version (or commit ref):
    • 1.13.1
    • 1.14.0+dev-598-g4acb499f3
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No

Description

First of all, I have to say that Gitea is a great and very remarkable software product I am using privately for quite some time now.
To learn more, I am currently playing around with the Gitea API v1, where I have found that the User information returned are different to my expectations.

When calling https://try.gitea.io/api/v1/user?token=<token-of-0x6d61726b> and https://try.gitea.io/api/v1/users/0x6d61726b?token=<token-of-0x6d61726b> the public and private information are returned:
image

When calling https://try.gitea.io/api/v1/users/0x6d61726b-2?token=<token-of-0x6d61726b> (getting information of another user) the public information are returned correctly whereas the private ones (administrator accessible properties like email, is_admin, language, last_login) are filled with (logical valid) defaults:
image

When calling https://try.gitea.io/api/v1/users/0x6d61726b-2/followers?token=<token-of-0x6d61726b> (0x6d61726b is following 0x6d61726b-2) the private properties of my own User (email, is_admin, language, last_login) are filled with (logical valid) defaults:, too:
image

Expectation

  • I have expected that public and private User information are always returned for the own User or when using an administrator account.
  • When using a non-administrator account and querying other User information, I expect to get only the properties I have access to (private ones are not transmitted) or that those properties are truly empty/invalid (especially for the email address or the is_admin address) like:
    image

Questions

  • Is it expected that the own User information are returned in "public only" format when listed as follower?
  • How can someone be absolutely sure the information received are valid even when the provided format is valid (like is_admin equals false or email contains a correctly formatted address string)?

From what I currently have in mind, it would be better that Gitea returns only valid/accessible information to the API user, instead of guessing through post processing on the API users end, which of the received information are valid and which are not.
@noerw noerw added the modifies/api This PR adds API routes or modifies them label Mar 24, 2021
@6543 6543 mentioned this issue Mar 24, 2021
Merged
@go-gitea go-gitea locked and limited conversation to collaborators May 13, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
modifies/api This PR adds API routes or modifies them
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[refactor] Unify the export of user data via API 6543-forks/gitea
2 participants
@noerw @0x6d61726b