Fix visibility check for api get user info:

- check for teams intersection
- fix context output
- right fake 404 if not visible

Author: sergey-dryabzhinsky

models/user.go

@@ -434,6 +434,11 @@ func (u *User) IsPasswordSet() bool {
 
 // IsVisibleToUser check if viewer is able to see user profile
 func (u *User) IsVisibleToUser(viewer *User) bool {
+
+	if viewer != nil && viewer.IsAdmin {
+		return true
+	}
+
 	switch u.Visibility {
 	case structs.VisibleTypePublic:
 		return true
@@ -446,8 +451,61 @@ func (u *User) IsVisibleToUser(viewer *User) bool {
 		if viewer == nil || viewer.IsRestricted {
 			return false
 		}
-		// if private user if follow the viewer he know each other ...
-		return IsFollowing(u.ID, viewer.ID) || viewer.IsAdmin
+
+		// If they follow - they see each over
+		follower := IsFollowing(u.ID, viewer.ID)
+		if follower {
+			return true
+		}
+
+		// Now we need to check if they in some team together
+
+		var orgIds1 []int64
+		var orgIds2 []int64
+
+		// First user all teams organization
+		if err := x.Table("team_user").
+			Cols("team_user.org_id").
+			Where("team_user.uid = ?", u.ID).
+			Find(&orgIds1); err != nil {
+			return false
+		}
+		if len(orgIds1) == 0 {
+			// No teams 1
+			return false
+		}
+
+		// Second user all teams organization
+		if err := x.Table("team_user").
+			Cols("team_user.org_id").
+			Where("team_user.uid = ?", viewer.ID).
+			Find(&orgIds2); err != nil {
+			return false
+		}
+		if len(orgIds2) == 0 {
+			// No teams 2
+			return false
+		}
+
+		// Intersect they organizations
+		var cond builder.Cond = builder.
+			In("id", orgIds1).
+			And(builder.In("id", orgIds2)).
+			And(builder.Eq{"type": UserTypeOrganization})
+		count, err := x.Table("user").
+			Cols("id").
+			Where(cond).
+			Count(1)
+		if err != nil {
+			return false
+		}
+		if count == 0 {
+			// they teams from different orgs?
+			return false
+		}
+
+		// they in some organizations together
+		return true
 	}
 	return false
 }

routers/api/v1/user/helper.go

@@ -17,7 +17,7 @@ func GetUserByParamsName(ctx *context.APIContext, name string) *models.User {
 	user, err := models.GetUserByName(username)
 	if err != nil {
 		if models.IsErrUserNotExist(err) {
-			if redirectUserID, err := models.LookupUserRedirect(username); err == nil {
+			if redirectUserID, err2 := models.LookupUserRedirect(username); err2 == nil {
 				context.RedirectToUser(ctx.Context, username, redirectUserID)
 			} else {
 				ctx.NotFound("GetUserByName", err)

routers/api/v1/user/user.go

@@ -103,14 +103,16 @@ func GetInfo(ctx *context.APIContext) {
 	//     "$ref": "#/responses/notFound"
 
 	u := GetUserByParams(ctx)
-	if !u.IsVisibleToUser(ctx.User) {
-		ctx.JSON(http.StatusNotFound, nil)
-		return
-	}
+
 	if ctx.Written() {
 		return
 	}
 
+	if !u.IsVisibleToUser(ctx.User) {
+		// fake ErrUserNotExist error message to not leak information about existence
+		ctx.NotFound("GetUserByName", models.ErrUserNotExist{Name: ctx.Params(":username")})
+		return
+	}
 	ctx.JSON(http.StatusOK, convert.ToUser(u, ctx.User))
 }