fix: stop leaking user passwords to admins AGAIN

author: Zephyrrus <[email protected]> 2020-07-10 01:13:23 +0300
committer: Zephyrrus <[email protected]> 2020-07-10 01:13:23 +0300
commit: 7e78a03931173437cd4aec5454663ee3cc3aee23 (patch)
tree: 6eebb7896599a427fb56985e3a66c91e0e4e9802 /src/api/routes/admin/fileGET.js
parent: refactor: refactor most of the admin pages to use the store instead of intern... (diff)
download: host.fuwn.me-7e78a03931173437cd4aec5454663ee3cc3aee23.tar.xz
host.fuwn.me-7e78a03931173437cd4aec5454663ee3cc3aee23.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/src/api/routes/admin/fileGET.js b/src/api/routes/admin/fileGET.js
index 0d1b147..239b128 100644
--- a/src/api/routes/admin/fileGET.js
+++ b/src/api/routes/admin/fileGET.js
@@ -11,7 +11,10 @@ class filesGET extends Route {
 		if (!id) return res.status(400).json({ message: 'Invalid file ID supplied' });
 
 		let file = await db.table('files').where({ id }).first();
-		const user = await db.table('users').where({ id: file.userId }).first();
+		const user = await db.table('users')
+			.select('id', 'username', 'enabled', 'createdAt', 'editedAt', 'apiKeyEditedAt', 'isAdmin')
+			.where({ id: file.userId })
+			.first();
 		file = Util.constructFilePublicLink(file);
 
 		// Additional relevant data
author	Zephyrrus <[email protected]>	2020-07-10 01:13:23 +0300
committer	Zephyrrus <[email protected]>	2020-07-10 01:13:23 +0300
commit	7e78a03931173437cd4aec5454663ee3cc3aee23 (patch)
tree	6eebb7896599a427fb56985e3a66c91e0e4e9802 /src/api/routes/admin/fileGET.js
parent	refactor: refactor most of the admin pages to use the store instead of intern... (diff)
download	host.fuwn.me-7e78a03931173437cd4aec5454663ee3cc3aee23.tar.xz host.fuwn.me-7e78a03931173437cd4aec5454663ee3cc3aee23.zip