# HG changeset patch
# User Mads Kiilerich <madski@unity3d.com>
# Date 1423190140 -3600
# Node ID 5923d74742879b812965568475e21c3496d722a9
# Parent  9df497f29cf2538f29440e66013bc7f864395082
[security fix] api: don't send internal data unless asked for it

This changeset fixes CVE-2015-0260.
See <https://kallithea-scm.org/security/cve-2015-0260.html> for
more details.

diff -r 9df497f29cf2 -r 5923d7474287 kallithea/model/db.py
--- a/kallithea/model/db.py	Thu Jan 29 21:49:02 2015 +0100
+++ b/kallithea/model/db.py	Fri Feb 06 03:35:40 2015 +0100
@@ -627,7 +627,7 @@
             raise Exception('Missing default account!')
         return user
 
-    def get_api_data(self):
+    def get_api_data(self, details=False):
         """
         Common function for generating user related data for API
         """
@@ -639,15 +639,18 @@
             lastname=user.lastname,
             email=user.email,
             emails=user.emails,
-            api_key=user.api_key,
-            api_keys=user.api_keys,
             active=user.active,
             admin=user.admin,
-            extern_type=user.extern_type,
-            extern_name=user.extern_name,
-            last_login=user.last_login,
-            ip_addresses=user.ip_addresses
         )
+        if details:
+            data.update(dict(
+                extern_type=user.extern_type,
+                extern_name=user.extern_name,
+                api_key=user.api_key,
+                api_keys=user.api_keys,
+                last_login=user.last_login,
+                ip_addresses=user.ip_addresses
+                ))
         return data
 
     def __json__(self):
diff -r 9df497f29cf2 -r 5923d7474287 kallithea/tests/functional/test_admin_users.py
--- a/kallithea/tests/functional/test_admin_users.py	Thu Jan 29 21:49:02 2015 +0100
+++ b/kallithea/tests/functional/test_admin_users.py	Fri Feb 06 03:35:40 2015 +0100
@@ -129,7 +129,7 @@
                                   extern_name=self.test_user_1,
                                   skip_if_exists=True)
         Session().commit()
-        params = usr.get_api_data()
+        params = usr.get_api_data(True)
         params.update({'password_confirmation': ''})
         params.update({'new_password': ''})
         params.update(attrs)
@@ -149,7 +149,7 @@
         self.checkSessionFlash(response, 'User updated successfully')
 
         updated_user = User.get_by_username(self.test_user_1)
-        updated_params = updated_user.get_api_data()
+        updated_params = updated_user.get_api_data(True)
         updated_params.update({'password_confirmation': ''})
         updated_params.update({'new_password': ''})
 
diff -r 9df497f29cf2 -r 5923d7474287 kallithea/tests/functional/test_my_account.py
--- a/kallithea/tests/functional/test_my_account.py	Thu Jan 29 21:49:02 2015 +0100
+++ b/kallithea/tests/functional/test_my_account.py	Fri Feb 06 03:35:40 2015 +0100
@@ -106,7 +106,7 @@
                                   extern_type='internal',
                                   extern_name=self.test_user_1,
                                   skip_if_exists=True)
-        params = usr.get_api_data()  # current user data
+        params = usr.get_api_data(True)  # current user data
         user_id = usr.user_id
         self.log_user(username=self.test_user_1, password='qweqwe')
 
@@ -122,7 +122,7 @@
                                'Your account was updated successfully')
 
         updated_user = User.get_by_username(self.test_user_1)
-        updated_params = updated_user.get_api_data()
+        updated_params = updated_user.get_api_data(True)
         updated_params.update({'password_confirmation': ''})
         updated_params.update({'new_password': ''})