fix #358: Ensure not to save concealed email field to localStorage

lib/models/user.js

@@ -12,7 +12,7 @@ module.exports = function(crowi) {
     , STATUS_SUSPENDED  = 3
     , STATUS_DELETED    = 4
     , STATUS_INVITED    = 5
-    , USER_PUBLIC_FIELDS = '_id image isGravatarEnabled googleId name username email introduction status lang createdAt admin' // TODO: どこか別の場所へ...
+    , USER_PUBLIC_FIELDS = '_id image isEmailPublished isGravatarEnabled googleId name username email introduction status lang createdAt admin' // TODO: どこか別の場所へ...
 
     , LANG_EN    = 'en'
     , LANG_EN_US = 'en-US'

lib/routes/user.js

@@ -54,6 +54,15 @@ module.exports = function(crowi, app) {
     }
 
     userFetcher
+    .then(function(userList) {
+      return userList.map((user) => {
+        // omit email
+        if (true !== user.isEmailPublished) { // compare to 'true' because Crowi original data doesn't have 'isEmailPublished'
+          user.email = undefined;
+        }
+        return user;
+      });
+    })
     .then(function(userList) {
       var result = {
         users: userList,