[Improvement][security] get-user-info API endpoint should not return …

…the user's password in MD5 format (#14680)

* [Improvement][security] get-user-info API endpoint should not return the user's password in MD5 format

Signed-off-by: Gallardot <gallardot@apache.org>

* [Improvement][security] list-paging API endpoint should not return the user's password in MD5 format

Signed-off-by: Gallardot <gallardot@apache.org>

---------

Signed-off-by: Gallardot <gallardot@apache.org>
Co-authored-by: Aaron Wang <wangweirao16@gmail.com>

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/UsersServiceImpl.java

@@ -1086,6 +1086,9 @@ public Map<String, Object> getUserInfo(User loginUser) {
             user.setTimeZone(TimeZone.getDefault().toZoneId().getId());
         }
 
+        // remove password
+        user.setUserPassword(null);
+
         result.put(Constants.DATA_LIST, user);
 
         putMsg(result, Status.SUCCESS);

dolphinscheduler-dao/src/main/resources/org/apache/dolphinscheduler/dao/mapper/UserMapper.xml

@@ -48,7 +48,7 @@
         where user_name=#{userName} and user_password = #{password}
     </select>
     <select id="queryUserPaging" resultType="org.apache.dolphinscheduler.dao.entity.User">
-        select u.id,u.user_name,u.user_password,u.user_type,u.email,u.phone,u.tenant_id,u.create_time,
+        select u.id,u.user_name,u.user_type,u.email,u.phone,u.tenant_id,u.create_time,
         u.update_time,t.tenant_code,u.state,
         case when u.queue  <![CDATA[ <> ]]> '' then u.queue else q.queue_name end as queue, q.queue_name
         from t_ds_user u