Hide incident email to non-admins

ooni · Oct 16, 2023 · 72c8d3c · 72c8d3c
1 parent dd0e77c
commit 72c8d3c
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/api/ooniapi/incidents.py b/api/ooniapi/incidents.py
@@ -96,6 +96,8 @@ def search_list_incidents() -> Response:
         rows = list(q)
         for r in rows:
             r["published"] = bool(r["published"])
+            if account_id is None or get_client_role() != "admin":
+                r["email_address"] = None  # hide email
         return nocachejson(incidents=rows, v=1)
     except BaseOONIException as e:
         return jerror(e)
@@ -140,6 +142,8 @@ def show_incident(incident_id: str) -> Response:
             return jerror("Not found")
         inc = q[0]
         inc["published"] = bool(inc["published"])
+        if account_id is None or get_client_role() != "admin":
+            inc["email_address"] = None  # hide email
         # TODO: cache if possible
         return nocachejson(incident=inc, v=1)
     except BaseOONIException as e: