From 045869283c7e8f4dda07f3cc6fd48e817ddf0dd3 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Mon, 22 Jan 2024 21:30:46 +0100
Subject: [PATCH] portalapi: don't leak the full list of users nor private apps

---
 src/portal.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/portal.py b/src/portal.py
index 34cdc3ef6..40bf211dc 100644
--- a/src/portal.py
+++ b/src/portal.py
@@ -115,7 +115,16 @@ def portal_public():
     """Get public settings
     If the portal is set as public, it will include the list of public apps
     """
-    return _get_portal_settings()
+
+    portal_settings = _get_portal_settings()
+
+    del portal_settings["portal_user_intro"]
+
+    # Prevent leaking the list of users
+    for infos in portal_settings["apps"].values():
+        del infos["users"]
+
+    return portal_settings
 
 
 def portal_me():
@@ -131,6 +140,10 @@ def portal_me():
     # Get user allowed apps
     apps = _get_portal_settings(domain, username)["apps"]
 
+    # Prevent leaking the list of users
+    for infos in apps.values():
+        del infos["users"]
+
     result_dict = {
         "username": username,
         "fullname": user["cn"][0],