From ad852de51a0d2dd5d29c08838d5a430c58849e74 Mon Sep 17 00:00:00 2001
From: Zephyrrus <krisztian1997@gmail.com>
Date: Wed, 8 Jul 2020 04:00:12 +0300
Subject: chore: linter the entire project using the new rules

---
 src/api/routes/admin/userGET.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/api/routes/admin/userGET.js')

diff --git a/src/api/routes/admin/userGET.js b/src/api/routes/admin/userGET.js
index 14a6c92..30c79f4 100644
--- a/src/api/routes/admin/userGET.js
+++ b/src/api/routes/admin/userGET.js
@@ -23,7 +23,7 @@ class usersGET extends Route {
 			return res.json({
 				message: 'Successfully retrieved user',
 				user,
-				files
+				files,
 			});
 		} catch (error) {
 			return super.error(res, error);
-- 
cgit v1.2.3


From 746a4546122be2ed79ad5858de6ce2c686f78ef0 Mon Sep 17 00:00:00 2001
From: Zephyrrus <krisztian1997@gmail.com>
Date: Thu, 9 Jul 2020 02:22:08 +0300
Subject: fix: stop leaking user's password and their apikey to admins

---
 src/api/routes/admin/userGET.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/api/routes/admin/userGET.js')

diff --git a/src/api/routes/admin/userGET.js b/src/api/routes/admin/userGET.js
index 30c79f4..2fb80d1 100644
--- a/src/api/routes/admin/userGET.js
+++ b/src/api/routes/admin/userGET.js
@@ -11,7 +11,10 @@ class usersGET extends Route {
 		if (!id) return res.status(400).json({ message: 'Invalid user ID supplied' });
 
 		try {
-			const user = await db.table('users').where({ id }).first();
+			const user = await db.table('users')
+				.select('id, username, enabled, createdAt, editeadAt, apiKeyEditedAt, isAdmin')
+				.where({ id })
+				.first();
 			const files = await db.table('files')
 				.where({ userId: user.id })
 				.orderBy('id', 'desc');
-- 
cgit v1.2.3


From 7e78a03931173437cd4aec5454663ee3cc3aee23 Mon Sep 17 00:00:00 2001
From: Zephyrrus <krisztian1997@gmail.com>
Date: Fri, 10 Jul 2020 01:13:23 +0300
Subject: fix: stop leaking user passwords to admins AGAIN

---
 src/api/routes/admin/userGET.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/api/routes/admin/userGET.js')

diff --git a/src/api/routes/admin/userGET.js b/src/api/routes/admin/userGET.js
index 2fb80d1..f5f2508 100644
--- a/src/api/routes/admin/userGET.js
+++ b/src/api/routes/admin/userGET.js
@@ -12,7 +12,7 @@ class usersGET extends Route {
 
 		try {
 			const user = await db.table('users')
-				.select('id, username, enabled, createdAt, editeadAt, apiKeyEditedAt, isAdmin')
+				.select('id', 'username', 'enabled', 'createdAt', 'editedAt', 'apiKeyEditedAt', 'isAdmin')
 				.where({ id })
 				.first();
 			const files = await db.table('files')
-- 
cgit v1.2.3