Merge branch 'develop' into hotfix/user_level_reports

Vikas Agarwal · Vikas Agarwal · commit cc63fe8da5a9 · 2020-04-01T20:51:44.000+05:30
diff --git a/src/routes/projects/list.spec.js b/src/routes/projects/list.spec.js
@@ -442,31 +442,32 @@ describe('LIST Project', () => {
               const resJson = res.body;
               should.exist(resJson);
               resJson.should.have.lengthOf(3);
-              resJson[0].should.have.property('attachments');
-              resJson[0].attachments.should.have.lengthOf(2);
-              resJson[0].attachments[0].should.have.property('id');
-              resJson[0].attachments[0].should.have.property('projectId');
-              resJson[0].attachments[0].should.have.property('title');
-              resJson[0].attachments[0].should.have.property('description');
-              resJson[0].attachments[0].should.have.property('path');
-              resJson[0].attachments[0].should.have.property('type');
-              resJson[0].attachments[0].should.have.property('tags');
-              resJson[0].attachments[0].should.have.property('contentType');
-              resJson[0].attachments[0].should.have.property('createdBy');
-              resJson[0].attachments[0].should.have.property('updatedBy');
+              const project = _.find(resJson, { id: project1.id });
+              project.should.have.property('attachments');
+              project.attachments.should.have.lengthOf(2);
+              project.attachments[0].should.have.property('id');
+              project.attachments[0].should.have.property('projectId');
+              project.attachments[0].should.have.property('title');
+              project.attachments[0].should.have.property('description');
+              project.attachments[0].should.have.property('path');
+              project.attachments[0].should.have.property('type');
+              project.attachments[0].should.have.property('tags');
+              project.attachments[0].should.have.property('contentType');
+              project.attachments[0].should.have.property('createdBy');
+              project.attachments[0].should.have.property('updatedBy');
 
-              resJson[0].attachments[1].should.have.property('id');
-              resJson[0].attachments[1].should.have.property('projectId');
-              resJson[0].attachments[1].should.have.property('title');
-              resJson[0].attachments[1].should.have.property('description');
-              resJson[0].attachments[1].should.have.property('path');
-              resJson[0].attachments[1].should.have.property('type');
-              resJson[0].attachments[1].should.have.property('tags');
-              resJson[0].attachments[1].should.have.property('createdBy');
-              resJson[0].attachments[1].should.have.property('updatedBy');
+              project.attachments[1].should.have.property('id');
+              project.attachments[1].should.have.property('projectId');
+              project.attachments[1].should.have.property('title');
+              project.attachments[1].should.have.property('description');
+              project.attachments[1].should.have.property('path');
+              project.attachments[1].should.have.property('type');
+              project.attachments[1].should.have.property('tags');
+              project.attachments[1].should.have.property('createdBy');
+              project.attachments[1].should.have.property('updatedBy');
 
-              resJson[0].should.have.property('description');
-              resJson[0].should.have.property('billingAccountId');
+              project.should.have.property('description');
+              project.should.have.property('billingAccountId');
               done();
             }
           });
@@ -1112,7 +1113,6 @@ describe('LIST Project', () => {
               resJson[0].name.should.equal('test1');
               resJson[0].invites.should.have.lengthOf(2);
               resJson[0].invites[0].should.have.property('email');
-              should.not.exist(resJson[0].invites[0].userId);
               resJson[0].invites[1].email.should.equal('h***o@w***d.com');
               done();
             }
diff --git a/src/util.js b/src/util.js
@@ -636,14 +636,12 @@ _.assignIn(util, {
     }
   },
   /**
-   * Post-process given invite(s) with following constraints:
-   * - email field will be omitted from invite if the invite has defined userId
-   * - email field (if existed) will be masked UNLESS current user has admin permissions OR current user created this invite
+   * Post-process given invite(s)
+   * Mask `email` and hide `userId` to prevent leaking Personally Identifiable Information (PII)
    *
-   * Email to be masked is found in the fields defined by `jsonPath` in the `data`.
    * Immutable - doesn't modify data, but creates a clone.
    *
-   * @param {String}  jsonPath   jsonpath string
+   * @param {String}  jsonPath  jsonpath string
    * @param {Object}  data      the data which  need to process
    * @param {Object}  req       The request object
    *
@@ -668,13 +666,21 @@ _.assignIn(util, {
       }
 
       if (invite.email) {
-        // mask email if non-admin or not own invite
+        const canSeeEmail = (
+          isAdmin || // admin
+          invite.createdBy === currentUserId || // user who created invite
+          invite.userId === currentUserId // user who is invited
+        );
+        // mask email if user cannot see it
         _.assign(invite, {
-          email: isAdmin || invite.createdBy === currentUserId ? invite.email : util.maskEmail(invite.email),
+          email: canSeeEmail ? invite.email : util.maskEmail(invite.email),
         });
 
-        // for non-admin users don't return `userId` for invites created by `email`
-        if (invite.userId && !isAdmin) {
+        const canGetUserId = (
+          isAdmin || // admin
+          invite.userId === currentUserId // user who is invited
+        );
+        if (invite.userId && !canGetUserId) {
           _.assign(invite, {
             userId: null,
           });
