Skip to content

Commit 123aacc

Browse files
authored
Exclude user from jsonapi response for account links (#634)
1 parent f91b4ed commit 123aacc

3 files changed

Lines changed: 22 additions & 1 deletion

File tree

src/inttest/java/com/faforever/api/data/PlayerElideTest.java

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,10 +52,17 @@ public void restrictedResultWithoutScope() throws Exception {
5252
.andExpect(jsonPath("$.data[1].relationships", not(hasKey("uniqueIds"))))
5353
.andExpect(jsonPath("$.data[2].relationships", not(hasKey("uniqueIds"))))
5454
.andExpect(jsonPath("$.data[3].relationships", not(hasKey("uniqueIds"))))
55+
.andExpect(jsonPath("$.data[0].relationships", not(hasKey("accountLinks"))))
56+
.andExpect(jsonPath("$.data[1].relationships", not(hasKey("accountLinks"))))
57+
.andExpect(jsonPath("$.data[2].relationships", not(hasKey("accountLinks"))))
58+
.andExpect(jsonPath("$.data[3].relationships", not(hasKey("accountLinks"))))
5559
// you are allowed to see your own stuff
5660
.andExpect(jsonPath("$.data[4].attributes.email", is("active-user@faforever.com")))
5761
.andExpect(jsonPath("$.data[4].attributes.recentIpAddress", is("127.0.0.1")))
5862
.andExpect(jsonPath("$.data[4].attributes", hasKey("lastLogin")))
63+
.andExpect(jsonPath("$.data[4].relationships", hasKey("reporterOnModerationReports")))
64+
.andExpect(jsonPath("$.data[4].relationships", hasKey("userGroups")))
65+
.andExpect(jsonPath("$.data[4].relationships", hasKey("accountLinks")))
5966
// you cannot see your uuid
6067
.andExpect(jsonPath("$.data[4].relationships", not(hasKey("uniqueIds"))))
6168
// nobody can see passwords!
@@ -104,12 +111,17 @@ public void restrictedResultWithoutRole() throws Exception {
104111
.andExpect(jsonPath("$.data[1].relationships", not(hasKey("uniqueIds"))))
105112
.andExpect(jsonPath("$.data[2].relationships", not(hasKey("uniqueIds"))))
106113
.andExpect(jsonPath("$.data[3].relationships", not(hasKey("uniqueIds"))))
114+
.andExpect(jsonPath("$.data[0].relationships", not(hasKey("accountLinks"))))
115+
.andExpect(jsonPath("$.data[1].relationships", not(hasKey("accountLinks"))))
116+
.andExpect(jsonPath("$.data[2].relationships", not(hasKey("accountLinks"))))
117+
.andExpect(jsonPath("$.data[3].relationships", not(hasKey("accountLinks"))))
107118
// you are allowed to see your own stuff
108119
.andExpect(jsonPath("$.data[4].attributes.email", is("active-user@faforever.com")))
109120
.andExpect(jsonPath("$.data[4].attributes.recentIpAddress", is("127.0.0.1")))
110121
.andExpect(jsonPath("$.data[4].attributes", hasKey("lastLogin")))
111122
.andExpect(jsonPath("$.data[4].relationships", hasKey("reporterOnModerationReports")))
112123
.andExpect(jsonPath("$.data[4].relationships", hasKey("userGroups")))
124+
.andExpect(jsonPath("$.data[4].relationships", hasKey("accountLinks")))
113125
// you cannot see your uuid
114126
.andExpect(jsonPath("$.data[4].relationships", not(hasKey("uniqueIds"))))
115127
// nobody can see passwords!
@@ -162,6 +174,11 @@ public void canSeePrivateDetailsWithScopeAndRole() throws Exception {
162174
.andExpect(jsonPath("$.data[2].relationships", hasKey("uniqueIds")))
163175
.andExpect(jsonPath("$.data[3].relationships", hasKey("uniqueIds")))
164176
.andExpect(jsonPath("$.data[4].relationships", hasKey("uniqueIds")))
177+
.andExpect(jsonPath("$.data[0].relationships", hasKey("accountLinks")))
178+
.andExpect(jsonPath("$.data[1].relationships", hasKey("accountLinks")))
179+
.andExpect(jsonPath("$.data[2].relationships", hasKey("accountLinks")))
180+
.andExpect(jsonPath("$.data[3].relationships", hasKey("accountLinks")))
181+
.andExpect(jsonPath("$.data[4].relationships", hasKey("accountLinks")))
165182
// cannot see others reporterOnModerationReports
166183
.andExpect(jsonPath("$.data[0].relationships", not(hasKey("reporterOnModerationReports"))))
167184
.andExpect(jsonPath("$.data[1].relationships", not(hasKey("reporterOnModerationReports"))))

src/main/java/com/faforever/api/data/domain/AccountLink.java

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
import com.faforever.api.data.checks.Prefab;
55
import com.faforever.api.security.elide.permission.ReadAccountPrivateDetailsCheck;
66
import com.fasterxml.jackson.annotation.JsonIgnore;
7+
import com.yahoo.elide.annotation.Exclude;
78
import com.yahoo.elide.annotation.Include;
89
import com.yahoo.elide.annotation.ReadPermission;
910
import com.yahoo.elide.annotation.UpdatePermission;
@@ -22,11 +23,12 @@
2223

2324
@Entity
2425
@Table(name = "service_links")
25-
@Include(name = "accountLink")
26+
@Include(name = AccountLink.TYPE_NAME, rootLevel = false)
2627
@Setter
2728
@ReadPermission(expression = IsEntityOwner.EXPRESSION + " OR " + ReadAccountPrivateDetailsCheck.EXPRESSION)
2829
public class AccountLink implements OwnableEntity {
2930

31+
public static final String TYPE_NAME = "accountLink";
3032
private String id;
3133
private User user;
3234
private LinkedServiceType serviceType;
@@ -48,6 +50,7 @@ public LinkedServiceType getServiceType() {
4850

4951
@ManyToOne(fetch = FetchType.LAZY)
5052
@JoinColumn(name = "user_id")
53+
@Exclude
5154
public User getUser() {
5255
return user;
5356
}

src/main/java/com/faforever/api/data/domain/Login.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,7 @@ public Set<UserNote> getUserNotes() {
9292

9393
@OneToMany(mappedBy = "user", fetch = FetchType.EAGER)
9494
@BatchSize(size = 1000)
95+
@ReadPermission(expression = IsEntityOwner.EXPRESSION + " OR " + ReadAccountPrivateDetailsCheck.EXPRESSION)
9596
public Set<AccountLink> getAccountLinks() {
9697
return this.accountLinks;
9798
}

0 commit comments

Comments
 (0)