From cba9047f67ead034ca412c36985194e27589d013 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 3 Aug 2022 12:36:11 -0400
Subject: [PATCH] fix: #10805, hide unconfirmed emails from user data retrieval
 methods

---
 src/controllers/accounts/helpers.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/controllers/accounts/helpers.js b/src/controllers/accounts/helpers.js
index 526175a838..7c249d8d5f 100644
--- a/src/controllers/accounts/helpers.js
+++ b/src/controllers/accounts/helpers.js
@@ -44,6 +44,11 @@ helpers.getUserDataByUserSlug = async function (userslug, callerUID, query = {})
 	userData = await user.hidePrivateData(userData, callerUID);
 	userData.emailClass = userSettings.showemail ? 'hide' : '';
 
+	// If email unconfirmed, hide from result set
+	if (!userData['email:confirmed']) {
+		userData.email = '';
+	}
+
 	if (isAdmin || isSelf || (canViewInfo && !results.isTargetAdmin)) {
 		userData.ips = results.ips;
 	}