diff options
| author | Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> | 2022-01-14 14:53:33 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-14 14:53:33 +0000 |
| commit | 18862f20b5495bdc556c54e92fd4b1efdc718ba7 (patch) | |
| tree | e73bd7b1ca72deb0d4ab0ce52ba6a37f8a60e4d8 /synapse/handlers/admin.py | |
| parent | Fix sample_config.yaml in regards track_puppeted_user_ips (#11749) (diff) | |
| download | synapse-18862f20b5495bdc556c54e92fd4b1efdc718ba7.tar.xz | |
Remove the 'password_hash' from the Users Admin API endpoint response dictionary (#11576)
Diffstat (limited to 'synapse/handlers/admin.py')
| -rw-r--r-- | synapse/handlers/admin.py | 56 |
1 files changed, 41 insertions, 15 deletions
diff --git a/synapse/handlers/admin.py b/synapse/handlers/admin.py index 85157a138b..00ab5e79bf 100644 --- a/synapse/handlers/admin.py +++ b/synapse/handlers/admin.py @@ -55,21 +55,47 @@ class AdminHandler: async def get_user(self, user: UserID) -> Optional[JsonDict]: """Function to get user details""" - ret = await self.store.get_user_by_id(user.to_string()) - if ret: - profile = await self.store.get_profileinfo(user.localpart) - threepids = await self.store.user_get_threepids(user.to_string()) - external_ids = [ - ({"auth_provider": auth_provider, "external_id": external_id}) - for auth_provider, external_id in await self.store.get_external_ids_by_user( - user.to_string() - ) - ] - ret["displayname"] = profile.display_name - ret["avatar_url"] = profile.avatar_url - ret["threepids"] = threepids - ret["external_ids"] = external_ids - return ret + user_info_dict = await self.store.get_user_by_id(user.to_string()) + if user_info_dict is None: + return None + + # Restrict returned information to a known set of fields. This prevents additional + # fields added to get_user_by_id from modifying Synapse's external API surface. + user_info_to_return = { + "name", + "admin", + "deactivated", + "shadow_banned", + "creation_ts", + "appservice_id", + "consent_server_notice_sent", + "consent_version", + "user_type", + "is_guest", + } + + # Restrict returned keys to a known set. + user_info_dict = { + key: value + for key, value in user_info_dict.items() + if key in user_info_to_return + } + + # Add additional user metadata + profile = await self.store.get_profileinfo(user.localpart) + threepids = await self.store.user_get_threepids(user.to_string()) + external_ids = [ + ({"auth_provider": auth_provider, "external_id": external_id}) + for auth_provider, external_id in await self.store.get_external_ids_by_user( + user.to_string() + ) + ] + user_info_dict["displayname"] = profile.display_name + user_info_dict["avatar_url"] = profile.avatar_url + user_info_dict["threepids"] = threepids + user_info_dict["external_ids"] = external_ids + + return user_info_dict async def export_user_data(self, user_id: str, writer: "ExfiltrationWriter") -> Any: """Write all data we have on the user to the given writer. |