Skip to content

API does not consistently return User properties #14446

New issue
New issue
Closed
#15144
Closed
API does not consistently return User properties#14446
#15144
Labels
modifies/apiThis PR adds API routes or modifies them
@0x6d61726b

Description

@0x6d61726b
0x6d61726b
opened on Jan 24, 2021
  • Gitea version (or commit ref):
    • 1.13.1
    • 1.14.0+dev-598-g4acb499f3
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No

Description

First of all, I have to say that Gitea is a great and very remarkable software product I am using privately for quite some time now.
To learn more, I am currently playing around with the Gitea API v1, where I have found that the User information returned are different to my expectations.

When calling https://try.gitea.io/api/v1/user?token=<token-of-0x6d61726b> and https://try.gitea.io/api/v1/users/0x6d61726b?token=<token-of-0x6d61726b> the public and private information are returned:
image

When calling https://try.gitea.io/api/v1/users/0x6d61726b-2?token=<token-of-0x6d61726b> (getting information of another user) the public information are returned correctly whereas the private ones (administrator accessible properties like email, is_admin, language, last_login) are filled with (logical valid) defaults:
image

When calling https://try.gitea.io/api/v1/users/0x6d61726b-2/followers?token=<token-of-0x6d61726b> (0x6d61726b is following 0x6d61726b-2) the private properties of my own User (email, is_admin, language, last_login) are filled with (logical valid) defaults:, too:
image

Expectation

  • I have expected that public and private User information are always returned for the own User or when using an administrator account.
  • When using a non-administrator account and querying other User information, I expect to get only the properties I have access to (private ones are not transmitted) or that those properties are truly empty/invalid (especially for the email address or the is_admin address) like:
    image

Questions

  • Is it expected that the own User information are returned in "public only" format when listed as follower?
  • How can someone be absolutely sure the information received are valid even when the provided format is valid (like is_admin equals false or email contains a correctly formatted address string)?

From what I currently have in mind, it would be better that Gitea returns only valid/accessible information to the API user, instead of guessing through post processing on the API users end, which of the received information are valid and which are not.

Metadata

Metadata

Assignees

No one assigned

    Labels

    modifies/apiThis PR adds API routes or modifies them

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions