Merge branch 'dev' for release 6.5.4

Author: gnepud

CHANGELOG.md

@@ -2,6 +2,14 @@
 
 ## Next release
 
+## v6.5.4 2026 March 31
+
+- Fix a security issue: restrict exposed personal data in `/api/last_subscribed`, `/api/members` and `/api/members/:id` for public and non-privileged users
+
+## v6.5.3 2026 March 26
+
+- improvement: update memeber link to edit instead of show in reservations
+
 ## v6.5.2 2026 March 4
 
 - Fix a bug: unable to update event slots when recurrent event is modified

Gemfile.lock

@@ -551,6 +551,7 @@ PLATFORMS
   x86_64-darwin-20
   x86_64-darwin-21
   x86_64-darwin-23
+  x86_64-darwin-25
   x86_64-linux
 
 DEPENDENCIES

app/controllers/api/members_controller.rb

@@ -16,18 +16,19 @@ def index
     # remove unmerged profiles from list
     @members = @query.to_a
     @members.delete_if(&:need_completion?)
+    @restricted_member_index = !current_user.privileged?
   end
 
   def last_subscribed
-    @query, @members = Members::MembersService.last_registered(params[:last])
-
-    @requested_attributes = ['profile']
+    @query, @members = Members::MembersService.last_registered
+    @public_last_subscribed = true
     render :index
   end
 
   def show
     @member = User.friendly.find(params[:id])
     authorize @member
+    @restricted_member_show = !current_user.privileged?
   end
 
   def create

app/frontend/src/javascript/lib/format.ts

@@ -62,7 +62,7 @@ export default class FormatLib {
    */
   private static parseISOtime = (date: TDateISO|TDateISOShortTime): Date => {
     const isoTimeMatch = (date as string)?.match(/(^|T)(\d\d:\d\d)/);
-    return new Date(`${moment().format('YYYY-MM-DD')}T${isoTimeMatch[2]}:00${Fablab.timezone_offset}`);
+    return moment.tz(`${moment().format('YYYY-MM-DD')}T${isoTimeMatch[2]}:00`, Fablab.timezone).toDate();
   };
 
   /**

app/frontend/templates/admin/events/reservations.html

@@ -32,7 +32,7 @@ <h1>{{ 'app.admin.event_reservations.the_reservations' | translate }} {{event.ti
           <tbody>
           <tr ng-repeat="reservation in reservations" ng-class="{'disabled': isCancelled(reservation)}">
             <td class="text-c">
-              <a ui-sref="app.logged.members_show({id: reservation.user_id})">{{ reservation.user_full_name }} </a>
+              <a ui-sref="app.admin.members_edit({id: reservation.user_id})">{{ reservation.user_full_name }} </a>
             </td>
             <td>
               <span ng-if="event.event_type === 'standard'">{{ reservation.user_full_name }} </span>

app/services/members/members_service.rb

@@ -103,12 +103,12 @@ def self.handle_organization(params)
     params
   end
 
-  def self.last_registered(limit)
+  def self.last_registered
     query = User.active.with_role(:member)
                 .includes(:statistic_profile, profile: [:user_avatar])
                 .where('is_allow_contact = true AND confirmed_at IS NOT NULL')
                 .order('created_at desc')
-                .limit(limit)
+                .limit(10)
 
     # remove unmerged profiles from list
     members = query.to_a

app/views/api/members/_member.json.jbuilder

@@ -1,91 +1,119 @@
 # frozen_string_literal: true
 
-json.extract! member, :id, :username, :email, :group_id
-json.role member.roles.first.name
+json.extract! member, :username, :email, :slug
+unless @restricted_member_show
+  json.id member.id
+  json.group_id member.group_id
+  json.role member.roles.first.name
+end
 json.name member.profile.full_name
-json.need_completion member.need_completion?
-json.ip_address member.current_sign_in_ip.to_s
-json.mapped_from_sso member.mapped_from_sso&.split(',')
+json.need_completion member.need_completion? unless @restricted_member_show
+json.ip_address member.current_sign_in_ip.to_s unless @restricted_member_show
+json.mapped_from_sso member.mapped_from_sso&.split(',') unless @restricted_member_show
 
 json.profile_attributes do
-  json.extract! member.profile, :id, :first_name, :last_name, :interest, :software_mastered, :phone, :website, :job
-  if member.profile.user_avatar
-    json.user_avatar_attributes do
-      json.id member.profile.user_avatar.id
-      json.attachment_url "#{member.profile.user_avatar.attachment_url}?#{member.profile.user_avatar.updated_at.to_i}"
+  json.first_name member.profile.first_name
+  json.last_name member.profile.last_name
+  json.interest member.profile.interest
+  json.software_mastered member.profile.software_mastered
+
+  if @restricted_member_show
+    json.facebook member.profile.facebook
+    json.twitter member.profile.twitter
+    json.viadeo member.profile.viadeo
+    json.linkedin member.profile.linkedin
+    json.instagram member.profile.instagram
+    json.youtube member.profile.youtube
+    json.vimeo member.profile.vimeo
+    json.dailymotion member.profile.dailymotion
+    json.github member.profile.github
+    json.echosciences member.profile.echosciences
+    json.pinterest member.profile.pinterest
+    json.lastfm member.profile.lastfm
+    json.flickr member.profile.flickr
+  else
+    json.id member.profile.id
+    json.phone member.profile.phone
+    json.website member.profile.website
+    json.job member.profile.job
+    if member.profile.user_avatar
+      json.user_avatar do
+        json.id member.profile.user_avatar.id
+        json.attachment_url "#{member.profile.user_avatar.attachment_url}?#{member.profile.user_avatar.updated_at.to_i}"
+      end
     end
+    json.extract! member.profile, :facebook, :twitter, :viadeo, :linkedin, :instagram, :youtube, :vimeo, :dailymotion, :github, :echosciences, :pinterest, :lastfm, :flickr
+    json.tours member.profile.tours&.split || []
   end
-  json.extract! member.profile, :facebook, :twitter, :viadeo, :linkedin, :instagram, :youtube, :vimeo, :dailymotion, :github, :echosciences, :pinterest, :lastfm, :flickr
-  json.tours member.profile.tours&.split || []
 end
 
-json.invoicing_profile_attributes do
-  json.extract! member.invoicing_profile, :id, :external_id
-  if member.invoicing_profile.address
-    json.address_attributes do
-      json.id member.invoicing_profile.address.id
-      json.address member.invoicing_profile.address.address
+unless @restricted_member_show
+  json.invoicing_profile_attributes do
+    json.extract! member.invoicing_profile, :id, :external_id
+    if member.invoicing_profile.address
+      json.address_attributes do
+        json.id member.invoicing_profile.address.id
+        json.address member.invoicing_profile.address.address
+      end
     end
-  end
 
-  if member.invoicing_profile.organization
-    json.organization_attributes do
-      json.extract! member.invoicing_profile.organization, :id, :name
-      if member.invoicing_profile.organization.address
-        json.address_attributes do
-          json.id member.invoicing_profile.organization.address.id
-          json.address member.invoicing_profile.organization.address.address
+    if member.invoicing_profile.organization
+      json.organization_attributes do
+        json.extract! member.invoicing_profile.organization, :id, :name
+        if member.invoicing_profile.organization.address
+          json.address_attributes do
+            json.id member.invoicing_profile.organization.address.id
+            json.address member.invoicing_profile.organization.address.address
+          end
         end
       end
     end
-  end
 
-  json.user_profile_custom_fields_attributes member.invoicing_profile.user_profile_custom_fields
-    .joins(:profile_custom_field).where('profile_custom_fields.actived' => true).order('profile_custom_fields.id ASC') do |f|
-    json.id f.id
-    json.invoicing_profile_id f.invoicing_profile_id
-    json.profile_custom_field_id f.profile_custom_field_id
-    json.value f.value
+    json.user_profile_custom_fields_attributes member.invoicing_profile.user_profile_custom_fields
+      .joins(:profile_custom_field).where('profile_custom_fields.actived' => true).order('profile_custom_fields.id ASC') do |f|
+      json.id f.id
+      json.invoicing_profile_id f.invoicing_profile_id
+      json.profile_custom_field_id f.profile_custom_field_id
+      json.value f.value
+    end
   end
-end
 
-json.statistic_profile_attributes do
-  json.id member.statistic_profile.id
-  json.gender member.statistic_profile.gender.to_s
-  json.birthday member.statistic_profile&.birthday&.to_date&.iso8601
-  json.training_ids member.statistic_profile&.training_ids
-end
+  json.statistic_profile_attributes do
+    json.id member.statistic_profile.id
+    json.gender member.statistic_profile.gender.to_s
+    json.birthday member.statistic_profile&.birthday&.to_date&.iso8601
+    json.training_ids member.statistic_profile&.training_ids
+  end
 
-if member.subscribed_plan
-  json.subscribed_plan do
-    json.partial! 'api/shared/plan', plan: member.subscribed_plan
+  if member.subscribed_plan
+    json.subscribed_plan do
+      json.partial! 'api/shared/plan', plan: member.subscribed_plan
+    end
   end
-end
 
-if member.subscription
-  json.subscription do
-    json.id member.subscription.id
-    json.expired_at member.subscription.expired_at.iso8601
-    json.canceled_at member.subscription.canceled_at.iso8601 if member.subscription.canceled_at
-    json.plan do # TODO, refactor: duplicates subscribed_plan
-      json.id member.subscription.plan.id
-      json.base_name member.subscription.plan.base_name
-      json.name member.subscription.plan.name
-      json.interval member.subscription.plan.interval
-      json.interval_count member.subscription.plan.interval_count
-      json.amount member.subscription.plan.amount ? (member.subscription.plan.amount / 100.0) : 0
-      json.monthly_payment member.subscription.plan.monthly_payment
+  if member.subscription
+    json.subscription do
+      json.id member.subscription.id
+      json.expired_at member.subscription.expired_at.iso8601
+      json.canceled_at member.subscription.canceled_at.iso8601 if member.subscription.canceled_at
+      json.plan do
+        json.id member.subscription.plan.id
+        json.base_name member.subscription.plan.base_name
+        json.name member.subscription.plan.name
+        json.interval member.subscription.plan.interval
+        json.interval_count member.subscription.plan.interval_count
+        json.amount member.subscription.plan.amount ? (member.subscription.plan.amount / 100.0) : 0
+        json.monthly_payment member.subscription.plan.monthly_payment
+      end
     end
   end
+  json.training_credits member.training_credits do |tc|
+    json.training_id tc.creditable_id
+  end
+  json.machine_credits member.machine_credits do |mc|
+    json.machine_id mc.creditable_id
+    json.hours_used mc.users_credits.find_by(user_id: member.id).hours_used
+  end
+  json.last_sign_in_at member.last_sign_in_at.iso8601 if member.last_sign_in_at
+  json.validated_at member.validated_at
 end
-json.training_credits member.training_credits do |tc|
-  json.training_id tc.creditable_id
-end
-json.machine_credits member.machine_credits do |mc|
-  json.machine_id mc.creditable_id
-  json.hours_used mc.users_credits.find_by(user_id: member.id).hours_used
-end
-# TODO, missing space_credits?
-json.last_sign_in_at member.last_sign_in_at.iso8601 if member.last_sign_in_at
-
-json.validated_at member.validated_at

app/views/api/members/index.json.jbuilder

@@ -4,18 +4,28 @@ user_is_admin = current_user&.admin?
 max_members = @query.except(:offset, :limit, :order).count
 
 json.array!(@members) do |member|
-  json.maxMembers max_members
   json.id member.id
-  json.username member.username
-  json.slug member.slug
-  json.name member.profile.full_name
-  json.email member.email if current_user
-  json.first_name member.profile.first_name
-  json.last_name member.profile.last_name
-  json.need_completion member.need_completion?
-  json.group_id member.group_id
+  json.maxMembers max_members if !@public_last_subscribed
+  if @public_last_subscribed
+    json.name member.profile.full_name
+    if member.profile.user_avatar
+      json.avatar do
+        json.id member.profile.user_avatar.id
+        json.attachment_url member.profile.user_avatar.attachment_url
+      end
+    end
+  else
+    json.username member.username
+    json.slug member.slug
+    json.name member.profile.full_name
+    json.email member.email if current_user
+    json.first_name member.profile.first_name
+    json.last_name member.profile.last_name
+    json.need_completion member.need_completion? unless @restricted_member_index
+    json.group_id member.group_id unless @restricted_member_index
+  end
 
-  if attribute_requested?(@requested_attributes, 'profile')
+  if !@public_last_subscribed && attribute_requested?(@requested_attributes, 'profile')
     json.profile do
       if member.profile.user_avatar
         json.user_avatar do
@@ -25,7 +35,7 @@ json.array!(@members) do |member|
       end
       json.first_name member.profile.first_name
       json.last_name member.profile.last_name
-      json.phone member.profile.phone
+      json.phone member.profile.phone unless @restricted_member_index
     end
     if user_is_admin
       json.statistic_profile do