From 8ab5df675e98129bb57b106ee331a8d07d324a45 Mon Sep 17 00:00:00 2001 From: Mohamed Bassem Date: Sun, 23 Nov 2025 10:13:15 +0000 Subject: fix: hide collaborator emails from non-owners (#2160) * feat: Hide collaborator emails from non-owners in shared lists Implemented privacy protection for collaborator emails in shared lists. Non-owners (viewers and editors) can no longer see email addresses of the list owner or other collaborators. Only the list owner can view all email addresses. Changes: - Modified List.getCollaborators() to return empty strings for emails when the requester is not the owner - Updated ManageCollaboratorsModal UI to conditionally display email fields only when they are not empty - Added comprehensive test to verify email privacy for non-owners while ensuring owners can still see all emails This follows existing privacy patterns in the codebase (similar to how pending invitation names are masked as "Pending User"). * make the email field nullable * fix tests --------- Co-authored-by: Claude --- packages/trpc/models/lists.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'packages/trpc/models/lists.ts') diff --git a/packages/trpc/models/lists.ts b/packages/trpc/models/lists.ts index a0d9ca23..0968492a 100644 --- a/packages/trpc/models/lists.ts +++ b/packages/trpc/models/lists.ts @@ -752,7 +752,8 @@ export abstract class List { user: { id: c.user.id, name: c.user.name, - email: c.user.email, + // Only show email to the owner for privacy + email: isOwner ? c.user.email : null, }, }; }); @@ -763,7 +764,8 @@ export abstract class List { ? { id: owner.id, name: owner.name, - email: owner.email, + // Only show owner email to the owner for privacy + email: isOwner ? owner.email : null, } : null, }; -- cgit v1.2.3-70-g09d2