mirror of
				https://github.com/go-gitea/gitea.git
				synced 2025-10-25 09:34:29 +02:00 
			
		
		
		
	The API convert.toUser function makes the incorrect assumption that full names could be rendered as is without being escaped. It therefore runs the names through markup.Sanitize which leads to a double escape of user full names. This pr stops this. Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
		
			
				
	
	
		
			97 lines
		
	
	
		
			2.8 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			97 lines
		
	
	
		
			2.8 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2020 The Gitea Authors. All rights reserved.
 | |
| // Use of this source code is governed by a MIT-style
 | |
| // license that can be found in the LICENSE file.
 | |
| 
 | |
| package convert
 | |
| 
 | |
| import (
 | |
| 	"code.gitea.io/gitea/models"
 | |
| 	api "code.gitea.io/gitea/modules/structs"
 | |
| )
 | |
| 
 | |
| // ToUser convert models.User to api.User
 | |
| // if doer is set, private information is added if the doer has the permission to see it
 | |
| func ToUser(user, doer *models.User) *api.User {
 | |
| 	if user == nil {
 | |
| 		return nil
 | |
| 	}
 | |
| 	authed := false
 | |
| 	signed := false
 | |
| 	if doer != nil {
 | |
| 		signed = true
 | |
| 		authed = doer.ID == user.ID || doer.IsAdmin
 | |
| 	}
 | |
| 	return toUser(user, signed, authed)
 | |
| }
 | |
| 
 | |
| // ToUsers convert list of models.User to list of api.User
 | |
| func ToUsers(doer *models.User, users []*models.User) []*api.User {
 | |
| 	result := make([]*api.User, len(users))
 | |
| 	for i := range users {
 | |
| 		result[i] = ToUser(users[i], doer)
 | |
| 	}
 | |
| 	return result
 | |
| }
 | |
| 
 | |
| // ToUserWithAccessMode convert models.User to api.User
 | |
| // AccessMode is not none show add some more information
 | |
| func ToUserWithAccessMode(user *models.User, accessMode models.AccessMode) *api.User {
 | |
| 	if user == nil {
 | |
| 		return nil
 | |
| 	}
 | |
| 	return toUser(user, accessMode != models.AccessModeNone, false)
 | |
| }
 | |
| 
 | |
| // toUser convert models.User to api.User
 | |
| // signed shall only be set if requester is logged in. authed shall only be set if user is site admin or user himself
 | |
| func toUser(user *models.User, signed, authed bool) *api.User {
 | |
| 	result := &api.User{
 | |
| 		ID:          user.ID,
 | |
| 		UserName:    user.Name,
 | |
| 		FullName:    user.FullName,
 | |
| 		Email:       user.GetEmail(),
 | |
| 		AvatarURL:   user.AvatarLink(),
 | |
| 		Created:     user.CreatedUnix.AsTime(),
 | |
| 		Restricted:  user.IsRestricted,
 | |
| 		Location:    user.Location,
 | |
| 		Website:     user.Website,
 | |
| 		Description: user.Description,
 | |
| 		// counter's
 | |
| 		Followers:    user.NumFollowers,
 | |
| 		Following:    user.NumFollowing,
 | |
| 		StarredRepos: user.NumStars,
 | |
| 	}
 | |
| 
 | |
| 	result.Visibility = user.Visibility.String()
 | |
| 
 | |
| 	// hide primary email if API caller is anonymous or user keep email private
 | |
| 	if signed && (!user.KeepEmailPrivate || authed) {
 | |
| 		result.Email = user.Email
 | |
| 	}
 | |
| 
 | |
| 	// only site admin will get these information and possibly user himself
 | |
| 	if authed {
 | |
| 		result.IsAdmin = user.IsAdmin
 | |
| 		result.LastLogin = user.LastLoginUnix.AsTime()
 | |
| 		result.Language = user.Language
 | |
| 		result.IsActive = user.IsActive
 | |
| 		result.ProhibitLogin = user.ProhibitLogin
 | |
| 	}
 | |
| 	return result
 | |
| }
 | |
| 
 | |
| // User2UserSettings return UserSettings based on a user
 | |
| func User2UserSettings(user *models.User) api.UserSettings {
 | |
| 	return api.UserSettings{
 | |
| 		FullName:      user.FullName,
 | |
| 		Website:       user.Website,
 | |
| 		Location:      user.Location,
 | |
| 		Language:      user.Language,
 | |
| 		Description:   user.Description,
 | |
| 		Theme:         user.Theme,
 | |
| 		HideEmail:     user.KeepEmailPrivate,
 | |
| 		HideActivity:  user.KeepActivityPrivate,
 | |
| 		DiffViewStyle: user.DiffViewStyle,
 | |
| 	}
 | |
| }
 |