Merge branch 'dev' into prod

TheEpicBlock · TheEpicBlock · commit 38169951cf6f · 2025-08-10T23:34:39.000+02:00
diff --git a/platform_api/src/main/java/net/modfest/platform/controller/EventController.java b/platform_api/src/main/java/net/modfest/platform/controller/EventController.java
@@ -50,12 +50,14 @@ public EventData getEvent(@PathVariable String id) {
 
 	@PutMapping("/event/{id}/registrations/{userId}")
 	public UserData register(@PathVariable String id, @PathVariable String userId) {
-		return setRegistration(id, userId, true);
+		var data = setRegistration(id, userId, true);
+		return userController.filterSensitiveUserData(data);
 	}
 
 	@DeleteMapping("/event/{id}/registrations/{userId}")
 	public UserData unregister(@PathVariable String id, @PathVariable String userId) {
-		return setRegistration(id, userId, false);
+		var data = setRegistration(id, userId, false);
+		return userController.filterSensitiveUserData(data);
 	}
 
 	private UserData setRegistration(@PathVariable String id, @RequestBody String userId, boolean registered) {
diff --git a/platform_api/src/main/java/net/modfest/platform/controller/UserController.java b/platform_api/src/main/java/net/modfest/platform/controller/UserController.java
@@ -40,7 +40,7 @@ public class UserController {
 	@GetMapping("/users")
 	@RequiresPermissions(Permissions.Users.LIST_ALL)
 	public Collection<UserData> listAll() {
-		return service.getAll();
+		return service.getAll().stream().map(this::filterSensitiveUserData).toList();
 	}
 
 	@GetMapping(value = "/users/subscribe", produces = MediaType.TEXT_EVENT_STREAM_VALUE)
@@ -84,7 +84,7 @@ public ResponseEntity<SseEmitter> subscribeUserChanges() {
 	public UserData createUser(@RequestBody UserCreateData data) throws PlatformStandardException {
 		try {
 			var id = service.create(data);
-			return service.getByMfId(id);
+			return filterSensitiveUserData(service.getByMfId(id));
 		} catch (UserService.InvalidModrinthIdException e) {
 			throw new ResponseStatusException(
 				HttpStatus.BAD_REQUEST,
@@ -94,6 +94,11 @@ public UserData createUser(@RequestBody UserCreateData data) throws PlatformStan
 	}
 
 	@GetMapping("/user/{id}")
+	public UserData getSingleUserRoute(@PathVariable String id) {
+		var user = getSingleUser(id);
+		return filterSensitiveUserData(user);
+	}
+
 	public UserData getSingleUser(@PathVariable String id) {
 		if (Objects.equals(id, "@me")) {
 			var principal = SecurityUtils.getSubject().getPrincipal();
@@ -168,7 +173,7 @@ public UserData editUserData(@PathVariable String id, @RequestBody UserPatchData
 		}
 
 		service.save(newUser);
-		return newUser;
+		return filterSensitiveUserData(newUser);
 	}
 
 	@PutMapping("/user/{id}/minecraft/{username}")
@@ -219,6 +224,21 @@ public UserData forceUpdateUser(@RequestBody UserData data) {
 		}
 
 		service.save(data);
+		return filterSensitiveUserData(data);
+	}
+
+	/**
+	 * Removes any data the user does not have access to
+	 */
+	public UserData filterSensitiveUserData(UserData data) {
+		var subject = SecurityUtils.getSubject();
+		var owns = PermissionUtils.owns(subject, data);
+		var view_mc = subject.isPermitted(Permissions.Users.VIEW_MINECRAFT);
+
+		if (!owns && !view_mc) {
+			data = data.withMinecraftAccounts(null);
+		}
+
 		return data;
 	}
 }
diff --git a/platform_api/src/main/java/net/modfest/platform/security/PermissionGroup.java b/platform_api/src/main/java/net/modfest/platform/security/PermissionGroup.java
@@ -12,6 +12,7 @@ public enum PermissionGroup {
 	TEAM_MEMBERS(UNPRIVILEGED_USERS, Set.of(
 		Permissions.Meta.RELOAD,
 		Permissions.Users.LIST_ALL,
+		Permissions.Users.VIEW_MINECRAFT,
 		Permissions.Users.EDIT_OTHERS,
 		Permissions.Users.FORCE_EDIT,
 		Permissions.Event.BYPASS_REGISTRATIONS,
@@ -39,7 +40,8 @@ public enum PermissionGroup {
 	 * Permissions given when the minecraft server logs in
 	 */
 	EVENT_MC_SERVER(null, Set.of(
-		Permissions.Users.LIST_ALL
+		Permissions.Users.LIST_ALL,
+		Permissions.Users.VIEW_MINECRAFT
 	));
 
 	public final @Nullable PermissionGroup parent;
diff --git a/platform_api/src/main/java/net/modfest/platform/security/Permissions.java b/platform_api/src/main/java/net/modfest/platform/security/Permissions.java
@@ -14,6 +14,10 @@ public static class Meta {
 
 	public static class Users {
 		public static final String LIST_ALL = "users.list";
+		/**
+		 * Allows the user to view other's their minecraft accounts
+		 */
+		public static final String VIEW_MINECRAFT = "users.view_mc";
 		/**
 		 * Allows the user to edit all other users their data
 		 */

Original file line number	Diff line number	Diff line change
`@@ -50,12 +50,14 @@ public EventData getEvent(@PathVariable String id) {`
`50`	`50`
`51`	`51`	`@PutMapping("/event/{id}/registrations/{userId}")`
`52`	`52`	`public UserData register(@PathVariable String id, @PathVariable String userId) {`
`53`		`- return setRegistration(id, userId, true);`
	`53`	`+ var data = setRegistration(id, userId, true);`
	`54`	`+ return userController.filterSensitiveUserData(data);`
`54`	`55`	`}`
`55`	`56`
`56`	`57`	`@DeleteMapping("/event/{id}/registrations/{userId}")`
`57`	`58`	`public UserData unregister(@PathVariable String id, @PathVariable String userId) {`
`58`		`- return setRegistration(id, userId, false);`
	`59`	`+ var data = setRegistration(id, userId, false);`
	`60`	`+ return userController.filterSensitiveUserData(data);`
`59`	`61`	`}`
`60`	`62`
`61`	`63`	`private UserData setRegistration(@PathVariable String id, @RequestBody String userId, boolean registered) {`