From e53673e8dfba3890e0d57312351d794babce56b2 Mon Sep 17 00:00:00 2001
From: Robert Munteanu <rmuntean@adobe.com>
Date: Wed, 30 Apr 2014 22:42:22 +0300
Subject: [PATCH] SOAP API: apply access control to mci_account_get_array_by_id

The access controls are the same as the ones applied by
view_user_page.php, with the single addition of making the info
available if the user requests their own information.

This preserves the behaviour of the mc_login method call.

Fixes #17243: SOAP API: information leak regarding user personal information
---
 api/soap/mc_account_api.php | 33 +++++++++++++++++++++++++--------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/api/soap/mc_account_api.php b/api/soap/mc_account_api.php
index 83ed264..999e017 100644
--- a/api/soap/mc_account_api.php
+++ b/api/soap/mc_account_api.php
@@ -11,18 +11,35 @@ function mci_account_get_array_by_id( $p_user_id ) {
 	$t_result['id'] = $p_user_id;
 
 	if( user_exists( $p_user_id ) ) {
+
+        $t_current_user_id = auth_get_current_user_id();
+        $t_access_level = user_get_field ( $t_current_user_id, 'access_level' );
+        $t_can_manage = access_has_global_level( config_get( 'manage_user_threshold' ) ) &&
+            access_has_global_level( $t_access_level );
+
+        # this deviates from the behaviour of view_user_page.php, but it is more intuitive
+        $t_is_same_user = $t_current_user_id === $p_user_id;
+
+        $t_can_see_realname = access_has_project_level( config_get( 'show_user_realname_threshold' ) );
+        $t_can_see_email = access_has_project_level( config_get( 'show_user_email_threshold' ) );
+
 		$t_result['name'] = user_get_field( $p_user_id, 'username' );
-		$t_dummy = user_get_field( $p_user_id, 'realname' );
 
-		if( !empty( $t_dummy ) ) {
-			$t_result['real_name'] = $t_dummy;
-		}
+        if ( $t_is_same_user || $t_can_manage || $t_can_see_realname ) {
+            $t_realname = user_get_realname( $p_user_id );
+
+            if( !empty( $t_realname ) ) {
+                $t_result['real_name'] = $t_realname;
+            }
+        }
 
-		$t_dummy = user_get_field( $p_user_id, 'email' );
+        if ( $t_is_same_user || $t_can_manage || $t_can_see_email ) {
+            $t_email = user_get_email( $p_user_id );
 
-		if( !empty( $t_dummy ) ) {
-			$t_result['email'] = $t_dummy;
-		}
+            if( !empty( $t_email ) ) {
+                $t_result['email'] = $t_email;
+            }
+        }
 	}
 	return $t_result;
 }
-- 
1.8.4.5