[web] skip fetching members and invites for restricted users (#25673)

* [web] hide sensitive data from joinProject when building project view * [web] skip fetching members and invites for restricted users * [web] fix owner features in joinProject view * [web] separate invited members from owner * [web] skip fetching users with empty members list * [web] split await chain Co-authored-by: Antoine Clausse <antoine.clausse@overleaf.com> * [web] remove spurious parentheses * [web] remove dead code Co-authored-by: Antoine Clausse <antoine.clausse@overleaf.com> --------- Co-authored-by: Antoine Clausse <antoine.clausse@overleaf.com> GitOrigin-RevId: 5b4d874f974971e9c14d7412620805f8ebf63541
2026-05-26 18:51:50 +02:00 · 2025-06-02 13:38:40 +02:00
parent 93c221775e
commit b45ffbf055
6 changed files with 268 additions and 189 deletions
--- a/services/web/app/src/Features/Project/ProjectEditorHandler.js
+++ b/services/web/app/src/Features/Project/ProjectEditorHandler.js
@@ -6,8 +6,13 @@ const Features = require('../../infrastructure/Features')
 module.exports = ProjectEditorHandler = {
  trackChangesAvailable: false,

-  buildProjectModelView(project, members, invites) {
-    let owner, ownerFeatures
+  buildProjectModelView(
+    project,
+    ownerMember,
+    members,
+    invites,
+    isRestrictedUser
+  ) {
    const result = {
      _id: project._id,
      name: project.name,
@@ -20,20 +25,23 @@ module.exports = ProjectEditorHandler = {
      description: project.description,
      spellCheckLanguage: project.spellCheckLanguage,
      deletedByExternalDataSource: project.deletedByExternalDataSource || false,
-      members: [],
-      invites: this.buildInvitesView(invites),
      imageName:
        project.imageName != null
          ? Path.basename(project.imageName)
          : undefined,
    }

-    ;({ owner, ownerFeatures, members } =
-      this.buildOwnerAndMembersViews(members))
-    result.owner = owner
-    result.members = members
+    if (isRestrictedUser) {
+      result.owner = { _id: project.owner_ref }
+      result.members = []
+      result.invites = []
+    } else {
+      result.owner = this.buildUserModelView(ownerMember)
+      result.members = members.map(this.buildUserModelView)
+      result.invites = this.buildInvitesView(invites)
+    }

-    result.features = _.defaults(ownerFeatures || {}, {
+    result.features = _.defaults(ownerMember?.user?.features || {}, {
      collaborators: -1, // Infinite
      versioning: false,
      dropbox: false,
@@ -62,25 +70,6 @@ module.exports = ProjectEditorHandler = {
    return result
  },

-  buildOwnerAndMembersViews(members) {
-    let owner = null
-    let ownerFeatures = null
-    const filteredMembers = []
-    for (const member of members || []) {
-      if (member.privilegeLevel === 'owner') {
-        ownerFeatures = member.user.features
-        owner = this.buildUserModelView(member)
-      } else {
-        filteredMembers.push(this.buildUserModelView(member))
-      }
-    }
-    return {
-      owner,
-      ownerFeatures,
-      members: filteredMembers,
-    }
-  },
-
  buildUserModelView(member) {
    const user = member.user
    return {