From 389f1abd0640d2ebc3da9e9318c9aefecdb6f494 Mon Sep 17 00:00:00 2001
From: Andrew Shu <talklittle@gmail.com>
Date: Sat, 6 Sep 2025 21:00:10 -0700
Subject: [PATCH] API: Fix permission checks for User info

---
 tildes/openapi_beta.yaml             |  6 ++++++
 tildes/tildes/templates/user.jinja2  | 24 ++++++++++++------------
 tildes/tildes/views/api/beta/user.py | 22 +++++++++++++++++-----
 3 files changed, 35 insertions(+), 17 deletions(-)

diff --git a/tildes/openapi_beta.yaml b/tildes/openapi_beta.yaml
index 48ec7e7..3f27904 100644
--- a/tildes/openapi_beta.yaml
+++ b/tildes/openapi_beta.yaml
@@ -409,6 +409,12 @@ components:
       properties:
         username:
           type: string
+        joined_at:
+          type: string
+          nullable: true
+        bio_rendered_html:
+          type: string
+          nullable: true
 
     Pagination:
       type: object
diff --git a/tildes/tildes/templates/user.jinja2 b/tildes/tildes/templates/user.jinja2
index 6d19357..f57043b 100644
--- a/tildes/tildes/templates/user.jinja2
+++ b/tildes/tildes/templates/user.jinja2
@@ -171,18 +171,18 @@
 {% endif %}
 
 {% if request.has_permission("view_info", user) %}
-<h2>User info</h2>
-<dl>
-  <dt>Registered</dt>
-  <dd>{{ user.created_time.strftime('%B %-d, %Y') }}</dd>
-
-  {% if user.bio_rendered_html %}
-    <div class="user-bio">
-      <dt>Bio</dt>
-      <dd>{{ user.bio_rendered_html|safe }}</dd>
-    </div>
-  {% endif %}
-</dl>
+  <h2>User info</h2>
+  <dl>
+    <dt>Registered</dt>
+    <dd>{{ user.created_time.strftime('%B %-d, %Y') }}</dd>
+
+    {% if user.bio_rendered_html %}
+      <div class="user-bio">
+        <dt>Bio</dt>
+        <dd>{{ user.bio_rendered_html|safe }}</dd>
+      </div>
+    {% endif %}
+  </dl>
 {% endif %}
 
 {% if request.has_permission('message', user) %}
diff --git a/tildes/tildes/views/api/beta/user.py b/tildes/tildes/views/api/beta/user.py
index 23b0ffa..9428833 100644
--- a/tildes/tildes/views/api/beta/user.py
+++ b/tildes/tildes/views/api/beta/user.py
@@ -19,15 +19,27 @@ from tildes.views.api.beta.comment import comment_to_api_dict
 from tildes.views.api.beta.topic import topic_to_api_dict
 
 
-def _user_to_api_dict(user: User) -> dict:
+def _user_to_api_dict(request: Request, user: User) -> dict:
     """Convert a User object to a dictionary for JSON serialization.
 
     The schema is defined in our OpenAPI YAML file.
     """
+
+    # Some fields do not require permissions
+    username = user.username
+
+    # Check permissions for viewing user details (and set safe defaults)
+    joined_at = None
+    bio_rendered_html = None
+
+    if request.has_permission("view_info", user):
+        joined_at = user.created_time.isoformat()
+        bio_rendered_html = user.bio_rendered_html
+
     return {
-        "username": user.username,
-        "joined_at": user.created_time.isoformat(),
-        "bio_rendered_html": user.bio_rendered_html,
+        "username": username,
+        "joined_at": joined_at,
+        "bio_rendered_html": bio_rendered_html,
     }
 
 
@@ -97,7 +109,7 @@ def get_user(request: Request) -> dict:  # noqa
 
     # Construct the final response JSON object
     response = {
-        "user": _user_to_api_dict(user),
+        "user": _user_to_api_dict(request, user),
         "history": processed_results,
         "pagination": {
             "item_count": len(processed_results),