hid email

pcrespov · pcrespov · commit 604e6a5b304f · 2024-12-10T16:13:41.000+01:00
diff --git a/services/web/server/src/simcore_service_webserver/groups/_groups_api.py b/services/web/server/src/simcore_service_webserver/groups/_groups_api.py
@@ -256,9 +256,10 @@ async def add_user_in_group(
         msg = "Invalid method call, missing user id or user email"
         raise GroupsError(msg=msg)
 
-    # FIXME: check privacy
     if new_user_email:
-        user = await _groups_db.get_user_from_email(app, email=new_user_email)
+        user = await _groups_db.get_user_from_email(
+            app, email=new_user_email, caller_user_id=user_id
+        )
         new_user_id = user.id
 
     if not new_user_id:
diff --git a/services/web/server/src/simcore_service_webserver/groups/_groups_db.py b/services/web/server/src/simcore_service_webserver/groups/_groups_db.py
@@ -113,24 +113,6 @@ async def _get_group_and_access_rights_or_raise(
     return row
 
 
-async def get_user_from_email(
-    app: web.Application, connection: AsyncConnection | None = None, *, email: str
-) -> Row:
-    """
-    Raises:
-        UserNotFoundError
-
-    """
-    # FIXME: check privacy
-
-    async with pass_or_acquire_connection(get_asyncpg_engine(app), connection) as conn:
-        result = await conn.stream(sa.select(users).where(users.c.email == email))
-        user = await result.fetchone()
-        if not user:
-            raise UserNotFoundError(email=email)
-        return user
-
-
 #
 # GROUPS
 #
@@ -356,6 +338,39 @@ async def delete_user_group(
         )
 
 
+#
+# USERS
+#
+
+
+async def get_user_from_email(
+    app: web.Application,
+    connection: AsyncConnection | None = None,
+    *,
+    caller_user_id: UserID,
+    email: str,
+) -> Row:
+    """
+    Raises:
+        UserNotFoundError: if not found or privacy hides email
+
+    """
+    async with pass_or_acquire_connection(get_asyncpg_engine(app), connection) as conn:
+        result = await conn.stream(
+            sa.select(users.c.id).where(
+                (users.c.email == email)
+                & (
+                    users.c.privacy_hide_email.is_(False)
+                    | (users.c.id != caller_user_id)
+                )
+            )
+        )
+        user = await result.fetchone()
+        if not user:
+            raise UserNotFoundError(email=email)
+        return user
+
+
 #
 # GROUP MEMBERS - CRUD
 #
