Miscellaneous

(cherry picked from commit 45bf43d) # Conflicts: # server/requirements/base.txt # server/requirements/test.txt
SURFscz · Jan 23, 2025 · a5384ac · a5384ac
1 parent 1ee423a
commit a5384ac
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 9 deletions.
diff --git a/server/api/invitation.py b/server/api/invitation.py
@@ -125,7 +125,6 @@ def invitations_by_hash():
     invitation.collaboration.groups
     invitation.collaboration.services
     invitation.collaboration.organisation
-    invitation.collaboration.organisation.services
 
     for member in invitation.collaboration.collaboration_memberships:
         member.user
@@ -134,6 +133,11 @@ def invitations_by_hash():
         return invitation, 200
 
     invitation_json = jsonify(invitation).json
+    # Sanitize user information
+    for cm in invitation_json["collaboration"]["collaboration_memberships"]:
+        cm["user"] = User.sanitize_user(cm["user"])
+    invitation_json["user"] = User.sanitize_user(invitation_json["user"])
+
     service_emails = invitation.collaboration.service_emails()
     admin_emails = invitation.collaboration.organisation.admin_emails()
     return {"invitation": invitation_json, "service_emails": service_emails, "admin_emails": admin_emails}, 200

diff --git a/server/api/organisation_invitation.py b/server/api/organisation_invitation.py
@@ -1,12 +1,12 @@
-from flask import Blueprint, request as current_request, current_app
+from flask import Blueprint, request as current_request, current_app, jsonify
 from sqlalchemy import func
 from sqlalchemy.orm import joinedload, load_only
 from werkzeug.exceptions import Conflict
 
 from server.api.base import json_endpoint, query_param, emit_socket
 from server.auth.security import confirm_organisation_admin, current_user_id
 from server.db.defaults import default_expiry_date
-from server.db.domain import OrganisationInvitation, Organisation, OrganisationMembership, db
+from server.db.domain import OrganisationInvitation, Organisation, OrganisationMembership, db, User
 from server.db.models import delete
 from server.mail import mail_organisation_invitation
 from server.tools import dt_now
@@ -47,11 +47,16 @@ def organisation_invitations_by_hash():
     organisation_invitation = invitation_query \
         .filter(OrganisationInvitation.hash == hash_value) \
         .one()
-    # To avoid conflict: Loader strategies for ORM Path[Mapper
-    organisation_invitation.organisation.services
     for member in organisation_invitation.organisation.organisation_memberships:
         member.user
-    return organisation_invitation, 200
+
+    invitation_json = jsonify(organisation_invitation).json
+    # Sanitize user information
+    for om in invitation_json["organisation"]["organisation_memberships"]:
+        om["user"] = User.sanitize_user(om["user"])
+    invitation_json["user"] = User.sanitize_user(invitation_json["user"])
+
+    return invitation_json, 200
 
 
 @organisation_invitations_api.route("/accept", methods=["PUT"], strict_slashes=False)

diff --git a/server/api/service_invitation.py b/server/api/service_invitation.py
@@ -1,12 +1,12 @@
-from flask import Blueprint, request as current_request, current_app
+from flask import Blueprint, request as current_request, current_app, jsonify
 from sqlalchemy import func
 from sqlalchemy.orm import joinedload, load_only
 from werkzeug.exceptions import Conflict
 
 from server.api.base import json_endpoint, query_param, emit_socket
 from server.auth.security import confirm_service_admin, current_user_id
 from server.db.defaults import default_expiry_date
-from server.db.domain import ServiceInvitation, Service, ServiceMembership, db
+from server.db.domain import ServiceInvitation, Service, ServiceMembership, db, User
 from server.db.models import delete
 from server.mail import mail_service_invitation
 from server.tools import dt_now
@@ -51,7 +51,14 @@ def service_invitations_by_hash():
     # To avoid conflict: Loader strategies for ORM Path[Mapper
     for member in service_invitation.service.service_memberships:
         member.user
-    return service_invitation, 200
+
+    invitation_json = jsonify(service_invitation).json
+    # Sanitize user information
+    for sm in invitation_json["service"]["service_memberships"]:
+        sm["user"] = User.sanitize_user(sm["user"])
+    invitation_json["user"] = User.sanitize_user(invitation_json["user"])
+
+    return invitation_json, 200
 
 
 @service_invitations_api.route("/accept", methods=["PUT"], strict_slashes=False)

diff --git a/server/db/domain.py b/server/db/domain.py
@@ -115,6 +115,10 @@ def successful_login(self, second_factor_confirmed=True):
         self.suspended = False
         self.suspend_notifications = []
 
+    @staticmethod
+    def sanitize_user(user_json: dict):
+        return {"name": user_json.get("name"), "email": user_json.get("email")}
+
 
 services_organisations_association = db.Table(
     "services_organisations",