use serializeUserSecurely in user-group

src/server/routes/apiv3/user-group-relation.js

@@ -3,8 +3,8 @@ const loggerFactory = require('@alias/logger');
 const logger = loggerFactory('growi:routes:apiv3:user-group-relation'); // eslint-disable-line no-unused-vars
 
 const express = require('express');
-const { serializeUserSecurely } = require('../../models/serializers/user-serializer');
 
+const { serializeUserSecurely } = require('../../models/serializers/user-serializer');
 const ErrorV3 = require('../../models/vo/error-apiv3');
 
 const router = express.Router();

src/server/routes/apiv3/user-group.js

@@ -13,6 +13,7 @@ const mongoose = require('mongoose');
 
 const ErrorV3 = require('../../models/vo/error-apiv3');
 
+const { serializeUserSecurely } = require('../../models/serializers/user-serializer');
 const { toPagingLimit, toPagingOffset } = require('../../util/express-validator/sanitizer');
 
 const validator = {};
@@ -288,7 +289,7 @@ module.exports = (crowi) => {
       const userGroupRelations = await UserGroupRelation.findAllRelationForUserGroup(userGroup);
 
       const users = userGroupRelations.map((userGroupRelation) => {
-        return userGroupRelation.relatedUser;
+        return serializeUserSecurely(userGroupRelation.relatedUser);
       });
 
       return res.apiv3({ users });
@@ -343,8 +344,10 @@ module.exports = (crowi) => {
     try {
       const userGroup = await UserGroup.findById(id);
       const users = await UserGroupRelation.findUserByNotRelatedGroup(userGroup, queryOptions);
-
-      return res.apiv3({ users });
+      const serializedUsers = users.map((user) => {
+        return serializeUserSecurely(user);
+      });
+      return res.apiv3({ users: serializedUsers });
     }
     catch (err) {
       const msg = `Error occurred in fetching unrelated users for group: ${id}`;
@@ -411,9 +414,9 @@ module.exports = (crowi) => {
       }
 
       const userGroupRelation = await UserGroupRelation.createRelation(userGroup, user);
-      await userGroupRelation.populate('relatedUser', User.USER_PUBLIC_FIELDS).execPopulate();
+      const serializedUser = serializeUserSecurely(user);
 
-      return res.apiv3({ user, userGroup, userGroupRelation });
+      return res.apiv3({ user: serializedUser, userGroup, userGroupRelation });
     }
     catch (err) {
       const msg = `Error occurred in adding the user "${username}" to group "${id}"`;
@@ -471,14 +474,10 @@ module.exports = (crowi) => {
         User.findUserByUsername(username),
       ]);
 
-      const userGroupRelation = await UserGroupRelation.findOne({ relatedUser: new ObjectId(user._id), relatedGroup: new ObjectId(userGroup._id) });
-      if (userGroupRelation == null) {
-        throw new Error(`Group "${id}" does not exist or user "${username}" does not belong to group "${id}"`);
-      }
+      const userGroupRelation = await UserGroupRelation.findOneAndDelete({ relatedUser: new ObjectId(user._id), relatedGroup: new ObjectId(userGroup._id) });
+      const serializedUser = serializeUserSecurely(user);
 
-      await userGroupRelation.remove();
-
-      return res.apiv3({ user, userGroup, userGroupRelation });
+      return res.apiv3({ user: serializedUser, userGroup, userGroupRelation });
     }
     catch (err) {
       const msg = `Error occurred in removing the user "${username}" from group "${id}"`;
@@ -584,16 +583,18 @@ module.exports = (crowi) => {
       }, {
         offset,
         limit,
-        populate: {
-          path: 'lastUpdateUser',
-          select: User.USER_PUBLIC_FIELDS,
-        },
+        populate: 'lastUpdateUser',
       });
 
       const current = offset / limit + 1;
 
+      const pages = docs.map((doc) => {
+        doc.lastUpdateUser = serializeUserSecurely(doc.lastUpdateUser);
+        return doc;
+      });
+
       // TODO: create a common moudule for paginated response
-      return res.apiv3({ total: totalDocs, current, pages: docs });
+      return res.apiv3({ total: totalDocs, current, pages });
     }
     catch (err) {
       const msg = `Error occurred in fetching pages for group: ${id}`;