Merge pull request #668 from code0-tech/663-restrict-access-to-user-emails

Taucher2003 · web-flow · commit e68bd82db138 · 2025-11-13T19:20:20.000+01:00
restric access to user emails
diff --git a/app/graphql/types/user_type.rb b/app/graphql/types/user_type.rb
@@ -9,8 +9,10 @@ class UserType < Types::BaseObject
     field :avatar_path, String, null: true, description: 'The avatar if present of the user'
 
     field :admin, Boolean, null: false, description: 'Global admin status of the user'
-    field :email, String, null: false, description: 'Email of the user'
-    field :email_verified_at, Types::TimeType, null: true, description: 'Email verification date of the user if present'
+    field :email, String, null: false, description: 'Email of the user', authorize: :read_email
+    field :email_verified_at, Types::TimeType, null: true,
+                                               description: 'Email verification date of the user if present',
+                                               authorize: :read_email
     field :firstname, String, null: true, description: 'Firstname of the user'
     field :lastname, String, null: true, description: 'Lastname of the user'
     field :username, String, null: false, description: 'Username of the user'
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
@@ -10,6 +10,7 @@ class UserPolicy < BasePolicy
     enable :update_user
     enable :read_user_identity
     enable :update_attachment_avatar
+    enable :read_email
   end
 
   rule { user_is_self }.policy do
@@ -19,5 +20,6 @@ class UserPolicy < BasePolicy
     enable :update_attachment_avatar
     enable :verify_email
     enable :send_verification_email
+    enable :read_email
   end
 end
diff --git a/tooling/graphql/types/package-lock.json b/tooling/graphql/types/package-lock.json
