Merge pull request #761 from rokwire/develop

merge develop into main
rokwire · Feb 20, 2025 · 935d237 · 935d237
2 parents e35ba1c + f356fee
commit 935d237
Show file tree

Hide file tree

Showing 11 changed files with 42 additions and 28 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -316,7 +316,7 @@
         "filename": "driver/web/docs/gen/gen_types.go",
         "hashed_secret": "c9739eab2dfa093cc0e450bf0ea81a43ae67b581",
         "is_verified": false,
-        "line_number": 1879
+        "line_number": 1888
       }
     ],
     "driver/web/docs/resources/admin/auth/login.yaml": [
@@ -347,5 +347,5 @@
       }
     ]
   },
-  "generated_at": "2025-01-06T10:55:27Z"
+  "generated_at": "2025-02-20T11:10:01Z"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
+## [1.48.2] - 2025-20-02
+### Fixed
+- Disable default privacy setting [#759](https://github.com/rokwire/core-building-block/issues/759)
+
 ## [1.48.1] - 2025-19-02
 ### Fixed
 - Fix privacy format [#755](https://github.com/rokwire/core-building-block/issues/755)

diff --git a/SECURITY.md b/SECURITY.md
@@ -4,8 +4,8 @@
 Patches for **Core Building Block** in this repository will only be applied to the following versions:
 | Version  | Supported          |
 | -------- | ------------------ |
-|1.48.1 | :white_check_mark: |
-| < 1.48.1| :x:                |
+|1.48.2 | :white_check_mark: |
+| < 1.48.2| :x:                |
 
 ## Reporting a Bug or Vulnerability
 

diff --git a/core/auth/apis.go b/core/auth/apis.go
@@ -1904,7 +1904,7 @@ func (a *Auth) InitializeSystemAccount(context storage.TransactionContext, authT
 
 	now := time.Now()
 	profile := model.Profile{ID: uuid.NewString(), Email: email, DateCreated: now}
-	privacy := model.Privacy{Public: false}
+	privacy := model.Privacy{Public: nil}
 	permissions := []string{allSystemPermission}
 
 	_, accountAuthType, err := a.applySignUpAdmin(context, authImpl, authType, appOrg, email, password, profile, privacy, "", permissions, nil, nil, nil, permissions, &clientVersion, l)

diff --git a/core/model/user.go b/core/model/user.go
@@ -83,13 +83,18 @@ const (
 
 // Privacy represents the privacy options for each account
 type Privacy struct {
-	Public          bool                   `json:"public" bson:"public"`
-	FieldVisibility map[string]interface{} `json:"field_visibility" bson:"field_visibility"`
+	Public          *bool                   `json:"public" bson:"public"`
+	FieldVisibility *map[string]interface{} `json:"field_visibility" bson:"field_visibility"`
 }
 
 // GetFieldVisibility determines the privacy setting for the account data at path
 func (p *Privacy) GetFieldVisibility(path string) (string, error) {
-	visibilityEntry := utils.GetMapEntryFromPath(p.FieldVisibility, path)
+	fieldVisibility := p.FieldVisibility
+	if fieldVisibility == nil {
+		return VisibilityPrivate, nil
+	}
+
+	visibilityEntry := utils.GetMapEntryFromPath(*fieldVisibility, path)
 	if visibilityEntry == nil {
 		return VisibilityPrivate, nil
 	}
@@ -114,10 +119,10 @@ func (p *Privacy) IsFieldVisible(path string, isConnection bool) (bool, error) {
 // ValidateFieldVisibility ensures each entry in visibilityMap is either another map or one of the three allowed visbility strings (public, connections, private)
 func (p *Privacy) ValidateFieldVisibility(visibilityMap map[string]interface{}) error {
 	if len(visibilityMap) == 0 {
-		if len(p.FieldVisibility) == 0 {
+		if p.FieldVisibility == nil || len(*p.FieldVisibility) == 0 {
 			return nil
 		}
-		visibilityMap = p.FieldVisibility
+		visibilityMap = *p.FieldVisibility
 	}
 
 	for k, v := range visibilityMap {

diff --git a/driver/web/apis_services.go b/driver/web/apis_services.go
@@ -1024,12 +1024,13 @@ func (h ServicesApisHandler) addFollow(l *logs.Log, r *http.Request, claims *tok
 
 	// Check to make sure follower account is public
 	followerAccount, err := h.coreAPIs.Services.SerGetAccount(claims.OrgID, claims.AppID, claims.Subject)
-	if err != nil || followerAccount == nil || !followerAccount.Privacy.Public {
+	if err != nil || followerAccount == nil || followerAccount.Privacy.Public == nil || !*followerAccount.Privacy.Public {
 		return l.HTTPResponseErrorAction(logutils.ActionInsert, model.TypeFollow, nil, err, http.StatusBadRequest, true)
 	}
 
 	// Check to make sure account is public
-	if !account.Privacy.Public {
+	accountPrivacy := account.Privacy
+	if accountPrivacy.Public == nil || !*accountPrivacy.Public {
 		return l.HTTPResponseErrorAction(logutils.ActionInsert, model.TypeFollow, nil, err, http.StatusForbidden, true)
 	}
 

diff --git a/driver/web/conversions_user.go b/driver/web/conversions_user.go
@@ -372,8 +372,8 @@ func privacyToDef(item *model.Privacy) *Def.Privacy {
 	}
 
 	return &Def.Privacy{
-		Public:          &item.Public,
-		FieldVisibility: &item.FieldVisibility,
+		Public:          item.Public,
+		FieldVisibility: item.FieldVisibility,
 	}
 }
 
@@ -391,7 +391,7 @@ func privacyFromDef(item *Def.Privacy) model.Privacy {
 		fieldVisibility = *item.FieldVisibility
 	}
 
-	return model.Privacy{Public: public, FieldVisibility: fieldVisibility}
+	return model.Privacy{Public: &public, FieldVisibility: &fieldVisibility}
 }
 
 func privacyFromDefNullable(item *Def.PrivacyNullable) model.Privacy {
@@ -408,20 +408,13 @@ func privacyFromDefNullable(item *Def.PrivacyNullable) model.Privacy {
 		fieldVisibility = *item.FieldVisibility
 	}
 
-	return model.Privacy{Public: public, FieldVisibility: fieldVisibility}
+	return model.Privacy{Public: &public, FieldVisibility: &fieldVisibility}
 }
 
 func defaultPrivacy() model.Privacy {
 	return model.Privacy{
-		Public: true,
-		FieldVisibility: map[string]interface{}{
-			"profile": map[string]interface{}{
-				"first_name":  "public",
-				"last_name":   "public",
-				"middle_name": "public",
-				"email":       "public",
-			},
-		},
+		Public:          nil,
+		FieldVisibility: nil,
 	}
 }
 

diff --git a/driver/web/docs/gen/def.yaml b/driver/web/docs/gen/def.yaml
@@ -2,7 +2,7 @@ openapi: 3.0.3
 info:
   title: Rokwire Core Building Block API
   description: Core Building Block API Documentation
-  version: 1.48.1
+  version: 1.48.2
 servers:
   - url: 'https://api.rokwire.illinois.edu/core'
     description: Production server
@@ -7127,6 +7127,7 @@ components:
       properties:
         public:
           type: boolean
+          nullable: true
         field_visibility:
           type: object
           additionalProperties: true

diff --git a/driver/web/docs/gen/gen_types.go b/driver/web/docs/gen/gen_types.go
diff --git a/driver/web/docs/index.yaml b/driver/web/docs/index.yaml
@@ -2,7 +2,7 @@ openapi: 3.0.3
 info:
   title: Rokwire Core Building Block API
   description: Core Building Block API Documentation
-  version: 1.48.1
+  version: 1.48.2
 servers:
   - url: https://api.rokwire.illinois.edu/core
     description: Production server

diff --git a/driver/web/docs/schemas/user/Privacy.yaml b/driver/web/docs/schemas/user/Privacy.yaml
@@ -2,6 +2,7 @@ type: object
 properties:
   public:
     type: boolean
+    nullable: true
   field_visibility:
     type: object
     additionalProperties: true