portalapi: don't leak the full list of users nor private apps

2024-09-03 20:06:10 +02:00 · 2024-01-22 21:30:46 +01:00 · 2024-01-22 21:30:46 +01:00 · 045869283c
commit 045869283c
parent 16d7f77f91
1 changed files with 14 additions and 1 deletions
--- a/src/portal.py
+++ b/src/portal.py
@ -115,7 +115,16 @@ def portal_public():
    """Get public settings
    If the portal is set as public, it will include the list of public apps
    """
-    return _get_portal_settings()
+
+    portal_settings = _get_portal_settings()
+
+    del portal_settings["portal_user_intro"]
+
+    # Prevent leaking the list of users
+    for infos in portal_settings["apps"].values():
+        del infos["users"]
+
+    return portal_settings


 def portal_me():
@ -131,6 +140,10 @@ def portal_me():
    # Get user allowed apps
    apps = _get_portal_settings(domain, username)["apps"]

+    # Prevent leaking the list of users
+    for infos in apps.values():
+        del infos["users"]
+
    result_dict = {
        "username": username,
        "fullname": user["cn"][0],