fix: stop leaking user's password and their apikey to admins

author: Zephyrrus <[email protected]> 2020-07-09 02:22:08 +0300
committer: Zephyrrus <[email protected]> 2020-07-09 02:22:08 +0300
commit: 746a4546122be2ed79ad5858de6ce2c686f78ef0 (patch)
tree: abe4c6dd4d3537689d710bcf37290580d04f0005 /src/api/routes/admin
parent: feat: add notifier plugin for 🐍 and 🍞 (diff)
download: host.fuwn.me-746a4546122be2ed79ad5858de6ce2c686f78ef0.tar.xz
host.fuwn.me-746a4546122be2ed79ad5858de6ce2c686f78ef0.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/src/api/routes/admin/userGET.js b/src/api/routes/admin/userGET.js
index 30c79f4..2fb80d1 100644
--- a/src/api/routes/admin/userGET.js
+++ b/src/api/routes/admin/userGET.js
@@ -11,7 +11,10 @@ class usersGET extends Route {
 		if (!id) return res.status(400).json({ message: 'Invalid user ID supplied' });
 
 		try {
-			const user = await db.table('users').where({ id }).first();
+			const user = await db.table('users')
+				.select('id, username, enabled, createdAt, editeadAt, apiKeyEditedAt, isAdmin')
+				.where({ id })
+				.first();
 			const files = await db.table('files')
 				.where({ userId: user.id })
 				.orderBy('id', 'desc');
author	Zephyrrus <[email protected]>	2020-07-09 02:22:08 +0300
committer	Zephyrrus <[email protected]>	2020-07-09 02:22:08 +0300
commit	746a4546122be2ed79ad5858de6ce2c686f78ef0 (patch)
tree	abe4c6dd4d3537689d710bcf37290580d04f0005 /src/api/routes/admin
parent	feat: add notifier plugin for 🐍 and 🍞 (diff)
download	host.fuwn.me-746a4546122be2ed79ad5858de6ce2c686f78ef0.tar.xz host.fuwn.me-746a4546122be2ed79ad5858de6ce2c686f78ef0.zip