[organisations] always hide tokens for non admin persons

zou/app/blueprints/auth/resources.py

@@ -229,7 +229,9 @@ def post(self):
                 "HTTP_X_REAL_IP", request.remote_addr
             )
 
-            organisation = persons_service.get_organisation()
+            organisation = persons_service.get_organisation(
+                sensitive=user["role"] != "admin"
+            )
 
             response = jsonify(
                 {

zou/app/blueprints/crud/base.py

@@ -26,7 +26,22 @@ def all_entries(self, query=None, relations=False):
         if query is None:
             query = self.model.query
 
-        return self.model.serialize_list(query.all(), relations=relations)
+        return self.serialize_list(query.all(), relations=relations)
+
+    def serialize_list(self, entries, relations=False):
+        return self.model.serialize_list(
+            entries,
+            relations=relations,
+            ignored_attrs=(
+                []
+                if permissions.has_admin_permissions()
+                else [
+                    "chat_token_slack",
+                    "chat_webhook_mattermost",
+                    "chat_token_discord",
+                ]
+            ),
+        )
 
     def paginated_entries(self, query, page, limit=None, relations=False):
         total = query.count()

zou/app/blueprints/crud/event.py

@@ -11,7 +11,7 @@ def all_entries(self, query=None, relations=False):
         if query is None:
             query = self.model.query
 
-        return self.model.serialize_list(
+        return self.serialize_list(
             query.limit(1000).all(), relations=relations
         )
 

zou/app/blueprints/crud/metadata_descriptor.py

@@ -27,15 +27,6 @@ def add_project_permission_filter(self, query):
             )
         return query
 
-    def all_entries(self, query=None, relations=True):
-        if query is None:
-            query = self.model.query
-
-        return [
-            metadata_descriptor.serialize(relations=relations)
-            for metadata_descriptor in query.all()
-        ]
-
     def check_creation_integrity(self, data):
         """
         Check if the data descriptor has a valid data_type.

zou/app/blueprints/crud/organisation.py

@@ -2,6 +2,7 @@
 from zou.app.blueprints.crud.base import BaseModelResource, BaseModelsResource
 
 from zou.app.services import persons_service
+from zou.app.utils.permissions import has_admin_permissions
 
 
 class OrganisationsResource(BaseModelsResource):
@@ -24,6 +25,20 @@ def pre_update(self, instance_dict, data):
             data["hours_by_day"] = float(data["hours_by_day"])
         return data
 
+    def serialize_instance(self, data, relations=True):
+        return data.serialize(
+            relations=relations,
+            ignored_attrs=(
+                []
+                if has_admin_permissions()
+                else [
+                    "chat_token_slack",
+                    "chat_webhook_mattermost",
+                    "chat_token_discord",
+                ]
+            ),
+        )
+
     def post_update(self, instance_dict, data):
-        persons_service.clear_oranisation_cache()
+        persons_service.clear_organisation_cache()
         return instance_dict

zou/app/models/organisation.py

@@ -1,7 +1,6 @@
 from zou.app import db
 from zou.app.models.serializer import SerializerMixin
 from zou.app.models.base import BaseMixin
-from zou.app.utils import fields
 
 
 class Organisation(db.Model, BaseMixin, SerializerMixin):
@@ -23,7 +22,7 @@ class Organisation(db.Model, BaseMixin, SerializerMixin):
     format_duration_in_hours = db.Column(db.Boolean(), default=False)
 
     def present(self, sensitive=False):
-        self.serialize(
+        return self.serialize(
             ignored_attrs=(
                 []
                 if sensitive
@@ -34,22 +33,3 @@ def present(self, sensitive=False):
                 ]
             )
         )
-
-        return fields.serialize_dict(
-            {
-                "id": self.id,
-                "chat_token_slack": self.chat_token_slack,
-                "chat_webhook_mattermost": self.chat_webhook_mattermost,
-                "chat_token_discord": self.chat_token_discord,
-                "name": self.name,
-                "has_avatar": self.has_avatar,
-                "hours_by_day": self.hours_by_day,
-                "hd_by_default": self.hd_by_default,
-                "use_original_file_name": self.use_original_file_name,
-                "timesheets_locked": self.timesheets_locked,
-                "dark_theme_by_default": self.dark_theme_by_default,
-                "format_duration_in_hours": self.format_duration_in_hours,
-                "updated_at": self.updated_at,
-                "created_at": self.created_at,
-            }
-        )

zou/app/models/serializer.py

@@ -35,13 +35,14 @@ def serialize(
 
     @staticmethod
     def serialize_list(
-        models, obj_type=None, relations=False, milliseconds=False
+        models, obj_type=None, relations=False, milliseconds=False, **kwargs
     ):
         return [
             model.serialize(
                 obj_type=obj_type,
                 relations=relations,
                 milliseconds=milliseconds,
+                **kwargs
             )
             for model in models
         ]

zou/app/services/persons_service.py

@@ -36,7 +36,7 @@ def clear_person_cache():
     cache.cache.delete_memoized(get_persons)
 
 
-def clear_oranisation_cache():
+def clear_organisation_cache():
     cache.cache.delete_memoized(get_organisation)
     cache.cache.delete_memoized(get_organisation, True)
 
@@ -502,7 +502,7 @@ def update_organisation(organisation_id, data):
     organisation = Organisation.get(organisation_id)
     organisation.update(data)
     events.emit("organisation:update", {"organisation_id": organisation_id})
-    clear_oranisation_cache()
+    clear_organisation_cache()
     return organisation.present()