remove potentially sensitive fields from group self

2025-05-24 01:12:54 -04:00 · 2024-03-15 19:50:39 +00:00 · 2024-03-15 19:50:39 +00:00 · 52c6fe34b2
commit 52c6fe34b2
parent b6ccb9fbdb
5 changed files with 29 additions and 7 deletions
--- a/frontend/composables/use-groups.ts
+++ b/frontend/composables/use-groups.ts
@ -1,8 +1,8 @@
 import { useAsync, ref } from "@nuxtjs/composition-api";
 import { useUserApi } from "~/composables/api";
-import { GroupBase, GroupInDB } from "~/lib/api/types/user";
+import { GroupBase, GroupSummary } from "~/lib/api/types/user";

-const groupSelfRef = ref<GroupInDB | null>(null);
+const groupSelfRef = ref<GroupSummary | null>(null);
 const loading = ref(false);

 export const useGroupSelf = function () {
--- a/frontend/lib/api/types/user.ts
+++ b/frontend/lib/api/types/user.ts
@ -48,6 +48,13 @@ export interface GroupInDB {
  users?: UserOut[];
  preferences?: ReadGroupPreferences;
 }
+export interface GroupSummary {
+  name: string;
+  id: string;
+  slug: string;
+  preferences?: ReadGroupPreferences;
+
+}
 export interface CategoryBase {
  name: string;
  id: string;
--- a/frontend/lib/api/user/groups.ts
+++ b/frontend/lib/api/user/groups.ts
@ -1,5 +1,5 @@
 import { BaseCRUDAPI } from "../base/base-clients";
-import { CategoryBase, GroupBase, GroupInDB, UserOut } from "~/lib/api/types/user";
+import { CategoryBase, GroupBase, GroupInDB, GroupSummary, UserOut } from "~/lib/api/types/user";
 import {
  CreateInviteToken,
  GroupAdminUpdate,
@ -35,7 +35,7 @@ export class GroupAPI extends BaseCRUDAPI<GroupBase, GroupInDB, GroupAdminUpdate
  /** Returns the Group Data for the Current User
   */
  async getCurrentUserGroup() {
-    return await this.requests.get<GroupInDB>(routes.groupsSelf);
+    return await this.requests.get<GroupSummary>(routes.groupsSelf);
  }

  async getCategories() {
--- a/mealie/routes/groups/controller_group_self_service.py
+++ b/mealie/routes/groups/controller_group_self_service.py
@ -8,7 +8,7 @@ from mealie.routes._base.routers import UserAPIRouter
 from mealie.schema.group.group_permissions import SetPermissions
 from mealie.schema.group.group_preferences import ReadGroupPreferences, UpdateGroupPreferences
 from mealie.schema.group.group_statistics import GroupStatistics, GroupStorage
-from mealie.schema.user.user import GroupInDB, UserOut
+from mealie.schema.user.user import GroupInDB, GroupSummary, UserOut
 from mealie.services.group_services.group_service import GroupService

 router = UserAPIRouter(prefix="/groups", tags=["Groups: Self Service"])
@ -20,10 +20,10 @@ class GroupSelfServiceController(BaseUserController):
    def service(self) -> GroupService:
        return GroupService(self.group_id, self.repos)

-    @router.get("/self", response_model=GroupInDB)
+    @router.get("/self", response_model=GroupSummary)
    def get_logged_in_user_group(self):
        """Returns the Group Data for the Current User"""
-        return self.group
+        return self.group.cast(GroupSummary)

    @router.get("/members", response_model=list[UserOut])
    def get_group_members(self):
--- a/mealie/schema/user/user.py
+++ b/mealie/schema/user/user.py
@ -249,6 +249,21 @@ class GroupInDB(UpdateGroup):
        ]


+class GroupSummary(MealieModel):
+    id: UUID4
+    name: str
+    slug: str
+    preferences: ReadGroupPreferences | None = None
+
+    model_config = ConfigDict(from_attributes=True)
+
+    @classmethod
+    def loader_options(cls) -> list[LoaderOption]:
+        return [
+            joinedload(Group.preferences),
+        ]
+
+
 class GroupPagination(PaginationBase):
    items: list[GroupInDB]