From 775676d64bde944ae6b8c78abc4d2ebbe21d46f7 Mon Sep 17 00:00:00 2001
From: David Svantesson <davidsvantesson@gmail.com>
Date: Thu, 21 Nov 2019 21:30:37 +0100
Subject: [PATCH 1/2] Fix what information is shown about user in API.

---
 modules/convert/convert.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/modules/convert/convert.go b/modules/convert/convert.go
index d3b2e38165b9..f9fd94acc877 100644
--- a/modules/convert/convert.go
+++ b/modules/convert/convert.go
@@ -256,6 +256,7 @@ func ToTeam(team *models.Team) *api.Team {
 }
 
 // ToUser convert models.User to api.User
+// signed shall only be set if requester is logged in. authed shall only be set if user is site admin or user himself
 func ToUser(user *models.User, signed, authed bool) *api.User {
 	result := &api.User{
 		UserName:  user.Name,
@@ -263,14 +264,13 @@ func ToUser(user *models.User, signed, authed bool) *api.User {
 		FullName:  markup.Sanitize(user.FullName),
 		Created:   user.CreatedUnix.AsTime(),
 	}
-	// hide primary email if API caller isn't user itself or an admin
-	if !signed {
-		result.Email = ""
-	} else if user.KeepEmailPrivate && !authed {
+	// hide primary email if API caller is anonymous or user keep email private
+	if signed && (!user.KeepEmailPrivate || authed) {
 		result.Email = user.GetEmail()
-	} else { // only user himself and admin could visit these information
+	}
+	// only site admin will get these information and possibly user himself
+	if authed {
 		result.ID = user.ID
-		result.Email = user.Email
 		result.IsAdmin = user.IsAdmin
 		result.LastLogin = user.LastLoginUnix.AsTime()
 	}

From c2464b83889a3ba7433ad08f662a322452a46f5d Mon Sep 17 00:00:00 2001
From: David Svantesson <davidsvantesson@gmail.com>
Date: Fri, 22 Nov 2019 08:22:25 +0100
Subject: [PATCH 2/2] Use Email directly, as KeepEmailPrivate is already
 handled.

---
 modules/convert/convert.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/convert/convert.go b/modules/convert/convert.go
index f9fd94acc877..0fa05d08508a 100644
--- a/modules/convert/convert.go
+++ b/modules/convert/convert.go
@@ -266,7 +266,7 @@ func ToUser(user *models.User, signed, authed bool) *api.User {
 	}
 	// hide primary email if API caller is anonymous or user keep email private
 	if signed && (!user.KeepEmailPrivate || authed) {
-		result.Email = user.GetEmail()
+		result.Email = user.Email
 	}
 	// only site admin will get these information and possibly user himself
 	if authed {