From ad852de51a0d2dd5d29c08838d5a430c58849e74 Mon Sep 17 00:00:00 2001
From: Zephyrrus <krisztian1997@gmail.com>
Date: Wed, 8 Jul 2020 04:00:12 +0300
Subject: chore: linter the entire project using the new rules

---
 src/api/routes/admin/fileGET.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/api/routes/admin/fileGET.js')

diff --git a/src/api/routes/admin/fileGET.js b/src/api/routes/admin/fileGET.js
index 3bb8da4..0d1b147 100644
--- a/src/api/routes/admin/fileGET.js
+++ b/src/api/routes/admin/fileGET.js
@@ -21,7 +21,7 @@ class filesGET extends Route {
 		return res.json({
 			message: 'Successfully retrieved file',
 			file,
-			user
+			user,
 		});
 	}
 }
-- 
cgit v1.2.3


From 7e78a03931173437cd4aec5454663ee3cc3aee23 Mon Sep 17 00:00:00 2001
From: Zephyrrus <krisztian1997@gmail.com>
Date: Fri, 10 Jul 2020 01:13:23 +0300
Subject: fix: stop leaking user passwords to admins AGAIN

---
 src/api/routes/admin/fileGET.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/api/routes/admin/fileGET.js')

diff --git a/src/api/routes/admin/fileGET.js b/src/api/routes/admin/fileGET.js
index 0d1b147..239b128 100644
--- a/src/api/routes/admin/fileGET.js
+++ b/src/api/routes/admin/fileGET.js
@@ -11,7 +11,10 @@ class filesGET extends Route {
 		if (!id) return res.status(400).json({ message: 'Invalid file ID supplied' });
 
 		let file = await db.table('files').where({ id }).first();
-		const user = await db.table('users').where({ id: file.userId }).first();
+		const user = await db.table('users')
+			.select('id', 'username', 'enabled', 'createdAt', 'editedAt', 'apiKeyEditedAt', 'isAdmin')
+			.where({ id: file.userId })
+			.first();
 		file = Util.constructFilePublicLink(file);
 
 		// Additional relevant data
-- 
cgit v1.2.3