Remove email from GetUserDetails when not same user. Fixes #579

1 files changed, 10 insertions, 1 deletions

diff --git a/server/src/api/user.rs b/server/src/api/user.rs
index 99072a74..1d332b90 100644
--- a/server/src/api/user.rs
+++ b/server/src/api/user.rs
@@ -466,7 +466,7 @@ impl Perform<GetUserDetailsResponse> for Oper<GetUserDetails> {
       }
     };
 
-    let user_view = UserView::read(&conn, user_details_id)?;
+    let mut user_view = UserView::read(&conn, user_details_id)?;
 
     let mut posts_query = PostQueryBuilder::create(&conn)
       .sort(&sort)
@@ -502,6 +502,15 @@ impl Perform<GetUserDetailsResponse> for Oper<GetUserDetails> {
     let creator_user = admins.remove(creator_index);
     admins.insert(0, creator_user);
 
+    // If its not the same user, remove the email
+    if let Some(user_id) = user_id {
+      if user_details_id != user_id {
+        user_view.email = None;
+      }
+    } else {
+      user_view.email = None;
+    }
+
     // Return the jwt
     Ok(GetUserDetailsResponse {
       user: user_view,