Merge pull request #4603 from dragonchaser/filter-user-email-in-results

mask user emails in search results
cs3org · Mar 28, 2024 · 9c04f2d · 9c04f2d
2 parents 8b17444 + 84dac71
commit 9c04f2d
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 0 deletions.
diff --git a/changelog/unreleased/mask-user-email-in-output.md b/changelog/unreleased/mask-user-email-in-output.md
@@ -0,0 +1,7 @@
+Bugfix: Mask user email in output
+
+We have fixed a bug where the user email was not masked in the output and the user emails could be enumerated through
+the sharee search.
+
+https://github.com/cs3org/reva/pull/4603
+https://github.com/owncloud/ocis/issues/8726
diff --git a/internal/http/services/owncloud/ocs/config/config.go b/internal/http/services/owncloud/ocs/config/config.go
@@ -47,6 +47,7 @@ type Config struct {
 	ListOCMShares                         bool                              `mapstructure:"list_ocm_shares"`
 	Notifications                         map[string]interface{}            `mapstructure:"notifications"`
 	IncludeOCMSharees                     bool                              `mapstructure:"include_ocm_sharees"`
+	ShowEmailInResults                    bool                              `mapstructure:"show_email_in_results"`
 }
 
 // Init sets sane defaults

diff --git a/internal/http/services/owncloud/ocs/handlers/apps/sharing/sharees/sharees.go b/internal/http/services/owncloud/ocs/handlers/apps/sharing/sharees/sharees.go
@@ -40,13 +40,15 @@ type Handler struct {
 	gatewayAddr             string
 	additionalInfoAttribute string
 	includeOCMSharees       bool
+	showUserEmailInResults  bool
 }
 
 // Init initializes this and any contained handlers
 func (h *Handler) Init(c *config.Config) {
 	h.gatewayAddr = c.GatewaySvc
 	h.additionalInfoAttribute = c.AdditionalInfoAttribute
 	h.includeOCMSharees = c.IncludeOCMSharees
+	h.showUserEmailInResults = c.ShowEmailInResults
 }
 
 // FindSharees implements the /apps/files_sharing/api/v1/sharees endpoint
@@ -123,6 +125,21 @@ func (h *Handler) FindSharees(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	if !h.showUserEmailInResults {
+		for _, m := range userMatches {
+			m.Value.ShareWithAdditionalInfo = m.Value.ShareWith
+		}
+		for _, m := range exactUserMatches {
+			m.Value.ShareWithAdditionalInfo = m.Value.ShareWith
+		}
+		for _, m := range groupMatches {
+			m.Value.ShareWithAdditionalInfo = m.Value.ShareWith
+		}
+		for _, m := range exactGroupMatches {
+			m.Value.ShareWithAdditionalInfo = m.Value.ShareWith
+		}
+	}
+
 	response.WriteOCSSuccess(w, r, &conversions.ShareeData{
 		Exact: &conversions.ExactMatchesData{
 			Users:   exactUserMatches,