From a38b56c84b306f0984ade5b8941e5bb03dc1db3f Mon Sep 17 00:00:00 2001
From: Maksym Mykhailenko <maxceem@gmail.com>
Date: Thu, 6 Feb 2020 17:39:03 +0800
Subject: [PATCH] fix: don't return email in invites for non-admin users, if
 invited by handle

---
 src/util.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/util.js b/src/util.js
index 5c8b7687..2592d7ba 100644
--- a/src/util.js
+++ b/src/util.js
@@ -682,6 +682,17 @@ _.assignIn(util, {
     return _.map(members, (member) => {
       let memberDetails = _.find(allMemberDetails, ({ userId }) => userId === member.userId);
       memberDetails = _.assign({}, member, memberDetails);
+      // this case would be only valid for invites:
+      // don't return `email` for non-admins if invitation has `userId`
+      // if invitation doesn't have `userId` means it is invitation by email
+      // then we are still returning emails to all users
+      if (
+        memberDetails.email &&
+        memberDetails.userId &&
+        !util.hasPermission({ topcoderRoles: ADMIN_ROLES }, req.authUser)
+      ) {
+        delete memberDetails.email;
+      }
       return _(memberDetails).pick(fields).defaults(memberDefaults).value();
     });
   },