fix: stop leaking user passwords to admins AGAIN

2 files changed, 5 insertions, 2 deletions

diff --git a/src/api/routes/admin/fileGET.js b/src/api/routes/admin/fileGET.js
index 0d1b147..239b128 100644
--- a/src/api/routes/admin/fileGET.js
+++ b/src/api/routes/admin/fileGET.js
@@ -11,7 +11,10 @@ class filesGET extends Route {
 		if (!id) return res.status(400).json({ message: 'Invalid file ID supplied' });
 
 		let file = await db.table('files').where({ id }).first();
-		const user = await db.table('users').where({ id: file.userId }).first();
+		const user = await db.table('users')
+			.select('id', 'username', 'enabled', 'createdAt', 'editedAt', 'apiKeyEditedAt', 'isAdmin')
+			.where({ id: file.userId })
+			.first();
 		file = Util.constructFilePublicLink(file);
 
 		// Additional relevant data
diff --git a/src/api/routes/admin/userGET.js b/src/api/routes/admin/userGET.js
index 2fb80d1..f5f2508 100644
--- a/src/api/routes/admin/userGET.js
+++ b/src/api/routes/admin/userGET.js
@@ -12,7 +12,7 @@ class usersGET extends Route {
 
 		try {
 			const user = await db.table('users')
-				.select('id, username, enabled, createdAt, editeadAt, apiKeyEditedAt, isAdmin')
+				.select('id', 'username', 'enabled', 'createdAt', 'editedAt', 'apiKeyEditedAt', 'isAdmin')
 				.where({ id })
 				.first();
 			const files = await db.table('files')