diff --git a/modules/convert/convert.go b/modules/convert/convert.go index d3b2e38165b9..0fa05d08508a 100644 --- a/modules/convert/convert.go +++ b/modules/convert/convert.go @@ -256,6 +256,7 @@ func ToTeam(team *models.Team) *api.Team { } // ToUser convert models.User to api.User +// signed shall only be set if requester is logged in. authed shall only be set if user is site admin or user himself func ToUser(user *models.User, signed, authed bool) *api.User { result := &api.User{ UserName: user.Name, @@ -263,14 +264,13 @@ func ToUser(user *models.User, signed, authed bool) *api.User { FullName: markup.Sanitize(user.FullName), Created: user.CreatedUnix.AsTime(), } - // hide primary email if API caller isn't user itself or an admin - if !signed { - result.Email = "" - } else if user.KeepEmailPrivate && !authed { - result.Email = user.GetEmail() - } else { // only user himself and admin could visit these information - result.ID = user.ID + // hide primary email if API caller is anonymous or user keep email private + if signed && (!user.KeepEmailPrivate || authed) { result.Email = user.Email + } + // only site admin will get these information and possibly user himself + if authed { + result.ID = user.ID result.IsAdmin = user.IsAdmin result.LastLogin = user.LastLoginUnix.AsTime() }