diff --git a/services/web/app/src/Features/Subscription/SubscriptionController.js b/services/web/app/src/Features/Subscription/SubscriptionController.js index 41b8eac017..685e5e621b 100644 --- a/services/web/app/src/Features/Subscription/SubscriptionController.js +++ b/services/web/app/src/Features/Subscription/SubscriptionController.js @@ -33,6 +33,9 @@ const PaymentProviderEntities = require('./PaymentProviderEntities') const { User } = require('../../models/User') const UserGetter = require('../User/UserGetter') const PermissionsManager = require('../Authorization/PermissionsManager') +const { + sanitizeSessionUserForFrontEnd, +} = require('../../infrastructure/FrontEndUser') /** * @import { SubscriptionChangeDescription } from '../../../../types/subscription/subscription-change-preview' @@ -318,7 +321,9 @@ function cancelSubscription(req, res, next) { async function canceledSubscription(req, res, next) { return res.render('subscriptions/canceled-subscription-react', { title: 'subscription_canceled', - user: SessionManager.getSessionUser(req.session), + user: sanitizeSessionUserForFrontEnd( + SessionManager.getSessionUser(req.session) + ), }) } diff --git a/services/web/app/src/Features/Subscription/TeamInvitesController.mjs b/services/web/app/src/Features/Subscription/TeamInvitesController.mjs index 39cc2b9655..1eb9ac2907 100644 --- a/services/web/app/src/Features/Subscription/TeamInvitesController.mjs +++ b/services/web/app/src/Features/Subscription/TeamInvitesController.mjs @@ -15,6 +15,7 @@ import EmailHandler from '../Email/EmailHandler.js' import { RateLimiter } from '../../infrastructure/RateLimiter.js' import Modules from '../../infrastructure/Modules.js' import UserAuditLogHandler from '../User/UserAuditLogHandler.js' +import { sanitizeSessionUserForFrontEnd } from '../../infrastructure/FrontEndUser.js' const rateLimiters = { resendGroupInvite: new RateLimiter('resend-group-invite', { @@ -143,7 +144,7 @@ async function viewInvite(req, res, next) { currentManagedUserAdminEmail, groupSSOActive, subscriptionId: subscription._id.toString(), - user: sessionUser, + user: sanitizeSessionUserForFrontEnd(sessionUser), usersSubscription, }) } else { @@ -164,7 +165,7 @@ async function viewInvite(req, res, next) { currentManagedUserAdminEmail, groupSSOActive, subscriptionId: subscription._id.toString(), - user: sessionUser, + user: sanitizeSessionUserForFrontEnd(sessionUser), }) } } else { diff --git a/services/web/app/src/infrastructure/ExpressLocals.js b/services/web/app/src/infrastructure/ExpressLocals.js index eae1b48219..34eda0ba2d 100644 --- a/services/web/app/src/infrastructure/ExpressLocals.js +++ b/services/web/app/src/infrastructure/ExpressLocals.js @@ -19,6 +19,7 @@ const { const { addOptionalCleanupHandlerAfterDrainingConnections, } = require('./GracefulShutdown') +const { sanitizeSessionUserForFrontEnd } = require('./FrontEndUser') const IEEE_BRAND_ID = Settings.ieeeBrandId @@ -300,11 +301,7 @@ module.exports = function (webRouter, privateApiRouter, publicApiRouter) { webRouter.use(function (req, res, next) { const currentUser = SessionManager.getSessionUser(req.session) if (currentUser != null) { - res.locals.user = { - email: currentUser.email, - first_name: currentUser.first_name, - last_name: currentUser.last_name, - } + res.locals.user = sanitizeSessionUserForFrontEnd(currentUser) } next() }) diff --git a/services/web/app/src/infrastructure/FrontEndUser.js b/services/web/app/src/infrastructure/FrontEndUser.js new file mode 100644 index 0000000000..5a4af9868c --- /dev/null +++ b/services/web/app/src/infrastructure/FrontEndUser.js @@ -0,0 +1,15 @@ +function sanitizeSessionUserForFrontEnd(sessionUser) { + if (sessionUser != null) { + return { + email: sessionUser.email, + first_name: sessionUser.first_name, + last_name: sessionUser.last_name, + } + } + + return null +} + +module.exports = { + sanitizeSessionUserForFrontEnd, +}