events: Remove some properties of user sent to spectators.

2025-11-02 21:13:36 +00:00 · 2022-02-16 12:40:43 +00:00
parent 947b2b55fe
commit 762cf72305
2 changed files with 30 additions and 0 deletions
--- a/zerver/lib/users.py
+++ b/zerver/lib/users.py
@@ -3,6 +3,7 @@ import unicodedata
 from collections import defaultdict
 from typing import Any, Dict, List, Optional, Sequence, Union, cast
 import dateutil.parser as date_parser
 from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.db.models.query import QuerySet
@@ -425,6 +426,14 @@ def format_user_row(
        date_joined=row["date_joined"].isoformat(),
    )
    if acting_user is None:
        # Remove data about other users which are not useful to spectators
        # or can reveal personal information about a user.
        # Only send day level precision date_joined data to spectators.
        del result["is_billing_admin"]
        del result["timezone"]
        result["date_joined"] = str(date_parser.parse(result["date_joined"]).date())
    # Zulip clients that support using `GET /avatar/{user_id}` as a
    # fallback if we didn't send an avatar URL in the user object pass
    # user_avatar_url_field_optional in client_capabilities.
--- a/zerver/tests/test_home.py
+++ b/zerver/tests/test_home.py
@@ -360,6 +360,27 @@ class HomeTest(ZulipTestCase):
        self.assertEqual(actual_keys, expected_keys)
        self.assertEqual(self.client.session.get("prefers_web_public_view"), True)
        # Test information passed to client about users.
        page_params = self._get_page_params(result)
        self.assertEqual(
            sorted(page_params["realm_users"][0].keys()),
            [
                "avatar_url",
                "avatar_version",
                "date_joined",
                "email",
                "full_name",
                "is_admin",
                "is_bot",
                "is_guest",
                "is_owner",
                "role",
                "user_id",
            ],
        )
        date_length = len("YYYY-MM-DD")
        self.assert_length(page_params["realm_users"][0]["date_joined"], date_length)
        # Web-public session key should clear once user is logged in
        self.login("hamlet")
        self.client_get("/")