From a5384acc5e459fb655cab15637133cf5207038f0 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 22 Jan 2025 16:04:11 +0100 Subject: [PATCH] Miscellaneous (cherry picked from commit 45bf43d2b2eb399635b481c6be4245fbf5788f55) # Conflicts: # server/requirements/base.txt # server/requirements/test.txt --- server/api/invitation.py | 6 +++++- server/api/organisation_invitation.py | 15 ++++++++++----- server/api/service_invitation.py | 13 ++++++++++--- server/db/domain.py | 4 ++++ 4 files changed, 29 insertions(+), 9 deletions(-) diff --git a/server/api/invitation.py b/server/api/invitation.py index 475004743..9097a97ae 100644 --- a/server/api/invitation.py +++ b/server/api/invitation.py @@ -125,7 +125,6 @@ def invitations_by_hash(): invitation.collaboration.groups invitation.collaboration.services invitation.collaboration.organisation - invitation.collaboration.organisation.services for member in invitation.collaboration.collaboration_memberships: member.user @@ -134,6 +133,11 @@ def invitations_by_hash(): return invitation, 200 invitation_json = jsonify(invitation).json + # Sanitize user information + for cm in invitation_json["collaboration"]["collaboration_memberships"]: + cm["user"] = User.sanitize_user(cm["user"]) + invitation_json["user"] = User.sanitize_user(invitation_json["user"]) + service_emails = invitation.collaboration.service_emails() admin_emails = invitation.collaboration.organisation.admin_emails() return {"invitation": invitation_json, "service_emails": service_emails, "admin_emails": admin_emails}, 200 diff --git a/server/api/organisation_invitation.py b/server/api/organisation_invitation.py index 0d3749d60..17262fefd 100644 --- a/server/api/organisation_invitation.py +++ b/server/api/organisation_invitation.py @@ -1,4 +1,4 @@ -from flask import Blueprint, request as current_request, current_app +from flask import Blueprint, request as current_request, current_app, jsonify from sqlalchemy import func from sqlalchemy.orm import joinedload, load_only from werkzeug.exceptions import Conflict @@ -6,7 +6,7 @@ from server.api.base import json_endpoint, query_param, emit_socket from server.auth.security import confirm_organisation_admin, current_user_id from server.db.defaults import default_expiry_date -from server.db.domain import OrganisationInvitation, Organisation, OrganisationMembership, db +from server.db.domain import OrganisationInvitation, Organisation, OrganisationMembership, db, User from server.db.models import delete from server.mail import mail_organisation_invitation from server.tools import dt_now @@ -47,11 +47,16 @@ def organisation_invitations_by_hash(): organisation_invitation = invitation_query \ .filter(OrganisationInvitation.hash == hash_value) \ .one() - # To avoid conflict: Loader strategies for ORM Path[Mapper - organisation_invitation.organisation.services for member in organisation_invitation.organisation.organisation_memberships: member.user - return organisation_invitation, 200 + + invitation_json = jsonify(organisation_invitation).json + # Sanitize user information + for om in invitation_json["organisation"]["organisation_memberships"]: + om["user"] = User.sanitize_user(om["user"]) + invitation_json["user"] = User.sanitize_user(invitation_json["user"]) + + return invitation_json, 200 @organisation_invitations_api.route("/accept", methods=["PUT"], strict_slashes=False) diff --git a/server/api/service_invitation.py b/server/api/service_invitation.py index 3f829ca9e..6af3d84f2 100644 --- a/server/api/service_invitation.py +++ b/server/api/service_invitation.py @@ -1,4 +1,4 @@ -from flask import Blueprint, request as current_request, current_app +from flask import Blueprint, request as current_request, current_app, jsonify from sqlalchemy import func from sqlalchemy.orm import joinedload, load_only from werkzeug.exceptions import Conflict @@ -6,7 +6,7 @@ from server.api.base import json_endpoint, query_param, emit_socket from server.auth.security import confirm_service_admin, current_user_id from server.db.defaults import default_expiry_date -from server.db.domain import ServiceInvitation, Service, ServiceMembership, db +from server.db.domain import ServiceInvitation, Service, ServiceMembership, db, User from server.db.models import delete from server.mail import mail_service_invitation from server.tools import dt_now @@ -51,7 +51,14 @@ def service_invitations_by_hash(): # To avoid conflict: Loader strategies for ORM Path[Mapper for member in service_invitation.service.service_memberships: member.user - return service_invitation, 200 + + invitation_json = jsonify(service_invitation).json + # Sanitize user information + for sm in invitation_json["service"]["service_memberships"]: + sm["user"] = User.sanitize_user(sm["user"]) + invitation_json["user"] = User.sanitize_user(invitation_json["user"]) + + return invitation_json, 200 @service_invitations_api.route("/accept", methods=["PUT"], strict_slashes=False) diff --git a/server/db/domain.py b/server/db/domain.py index bbae676c1..46541c8f7 100644 --- a/server/db/domain.py +++ b/server/db/domain.py @@ -115,6 +115,10 @@ def successful_login(self, second_factor_confirmed=True): self.suspended = False self.suspend_notifications = [] + @staticmethod + def sanitize_user(user_json: dict): + return {"name": user_json.get("name"), "email": user_json.get("email")} + services_organisations_association = db.Table( "services_organisations",