Stop allowing user's data to be found via private stories

Currently, private fields such as email addresses are not filtered out of the user data sent in the permissions list of private stories. This commit fixes that by correctly calling _filter_private_fields on the list of users to be returned. Change-Id: I4fa84c6787f758455288287af9bcd5c93159b172
2016-09-13 11:39:02 +00:00 · 2016-09-13 11:39:02 +00:00 · 4926b471e2
parent d51e7d94ff
commit 4926b471e2
1 changed files with 4 additions and 2 deletions
--- a/storyboard/api/v1/wmodels.py
+++ b/storyboard/api/v1/wmodels.py
@ -22,6 +22,7 @@ from wsme import types as wtypes
 from storyboard.api.v1 import base
 from storyboard.common.custom_types import NameType
 from storyboard.common import event_resolvers
+from storyboard.db.api import base as api_base
 from storyboard.db.api import boards as boards_api
 from storyboard.db.api import comments as comments_api
 from storyboard.db.api import due_dates as due_dates_api
@ -247,8 +248,9 @@ class Story(base.APIBase):
    @nodoc
    def resolve_users(self, story):
        """Resolve the people who can see the story."""
-        self.users = [User.from_db_model(user)
-                      for user in story.permissions[0].users]
+        users = [api_base._filter_non_public_fields(user, user._public_fields)
+                 for user in story.permissions[0].users]
+        self.users = [User.from_db_model(user) for user in users]


 class Tag(base.APIBase):