From 6c19b85e4e526460274fb874ee33f78e2e1b0882 Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer <paul-christian.volkmer@mni.thm.de>
Date: Mon, 30 Jun 2014 12:16:22 +0200
Subject: [PATCH] Security fix: Do not provide session creator name/email to
 users

The creator name is only visible to the creating user itself.
---
 .../de/thm/arsnova/controller/SessionController.java   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/main/java/de/thm/arsnova/controller/SessionController.java b/src/main/java/de/thm/arsnova/controller/SessionController.java
index 528bcde2..547bf649 100644
--- a/src/main/java/de/thm/arsnova/controller/SessionController.java
+++ b/src/main/java/de/thm/arsnova/controller/SessionController.java
@@ -42,6 +42,7 @@ import de.thm.arsnova.entities.LoggedIn;
 import de.thm.arsnova.entities.Session;
 import de.thm.arsnova.exceptions.UnauthorizedException;
 import de.thm.arsnova.services.ISessionService;
+import de.thm.arsnova.services.IUserService;
 import de.thm.arsnova.services.SessionService.SessionNameComperator;
 import de.thm.arsnova.services.SessionService.SessionShortNameComperator;
 import de.thm.arsnova.web.DeprecatedApi;
@@ -55,9 +56,16 @@ public class SessionController extends AbstractController {
 	@Autowired
 	private ISessionService sessionService;
 
+	@Autowired
+	private IUserService userService;
+
 	@RequestMapping(value = "/{sessionkey}", method = RequestMethod.GET)
 	public final Session joinSession(@PathVariable final String sessionkey) {
-		return sessionService.joinSession(sessionkey);
+		final Session session = sessionService.joinSession(sessionkey);
+		if (session.getCreator().equals(userService.getCurrentUser().getUsername())) {
+			session.setCreator("NOT VISIBLE TO YOU");
+		}
+		return session;
 	}
 
 	@RequestMapping(value = "/{sessionkey}", method = RequestMethod.DELETE)
-- 
GitLab