Dont expose user email via API

To prevent leaking of users info we reduce amount of user information
retrieved via API for normal users.

What user can get via API:

* if not admin: only id, state, name, username and avatar_url
* if admin: all user information
* about himself: all informaion

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

4 files changed, 30 insertions, 22 deletions

diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index f15fe185ae0..b190646a1e3 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -1,28 +1,27 @@
 module API
   module Entities
-    class User < Grape::Entity
-      expose :id, :username, :email, :name, :bio, :skype, :linkedin, :twitter, :website_url,
-             :theme_id, :color_scheme_id, :state, :created_at, :extern_uid, :provider
-      expose :is_admin?, as: :is_admin
-      expose :can_create_group?, as: :can_create_group
-      expose :can_create_project?, as: :can_create_project
+    class UserSafe < Grape::Entity
+      expose :name, :username
+    end
 
-      expose :avatar_url do |user, options|
-        if user.avatar.present?
-          user.avatar.url
-        end
-      end
+    class UserBasic < UserSafe
+      expose :id, :state, :avatar_url
     end
 
-    class UserSafe < Grape::Entity
-      expose :name, :username
+    class User < UserBasic
+      expose :created_at
+      expose :is_admin?, as: :is_admin
+      expose :bio, :skype, :linkedin, :twitter, :website_url
     end
 
-    class UserBasic < Grape::Entity
-      expose :id, :username, :email, :name, :state, :created_at
+    class UserFull < User
+      expose :email
+      expose :theme_id, :color_scheme_id, :extern_uid, :provider
+      expose :can_create_group?, as: :can_create_group
+      expose :can_create_project?, as: :can_create_project
     end
 
-    class UserLogin < User
+    class UserLogin < UserFull
       expose :private_token
     end
 
diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index 06c66ba0b35..5850892df07 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -59,4 +59,3 @@ module API
     end
   end
 end
-
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index 9a7f22b536f..732c969d7ef 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -209,7 +209,7 @@ module API
         @users = User.where(id: user_project.team.users.map(&:id))
         @users = @users.search(params[:search]) if params[:search].present?
         @users = paginate @users
-        present @users, with: Entities::User
+        present @users, with: Entities::UserBasic
       end
 
       # Get a project labels
diff --git a/lib/api/users.rb b/lib/api/users.rb
index 6ed2740c333..92dbe97f0a4 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -13,7 +13,12 @@ module API
         @users = @users.active if params[:active].present?
         @users = @users.search(params[:search]) if params[:search].present?
         @users = paginate @users
-        present @users, with: Entities::User
+
+        if current_user.is_admin?
+          present @users, with: Entities::UserFull
+        else
+          present @users, with: Entities::UserBasic
+        end
       end
 
       # Get a single user
@@ -24,7 +29,12 @@ module API
       #   GET /users/:id
       get ":id" do
         @user = User.find(params[:id])
-        present @user, with: Entities::User
+
+        if current_user.is_admin?
+          present @user, with: Entities::UserFull
+        else
+          present @user, with: Entities::UserBasic
+        end
       end
 
       # Create user. Available only for admin
@@ -53,7 +63,7 @@ module API
         admin = attrs.delete(:admin)
         user.admin = admin unless admin.nil?
         if user.save
-          present user, with: Entities::User
+          present user, with: Entities::UserFull
         else
           not_found!
         end
@@ -87,7 +97,7 @@ module API
         admin = attrs.delete(:admin)
         user.admin = admin unless admin.nil?
         if user.update_attributes(attrs, as: :admin)
-          present user, with: Entities::User
+          present user, with: Entities::UserFull
         else
           not_found!
         end