From 746a4546122be2ed79ad5858de6ce2c686f78ef0 Mon Sep 17 00:00:00 2001
From: Zephyrrus <krisztian1997@gmail.com>
Date: Thu, 9 Jul 2020 02:22:08 +0300
Subject: fix: stop leaking user's password and their apikey to admins

---
 src/api/routes/admin/userGET.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/api/routes')

diff --git a/src/api/routes/admin/userGET.js b/src/api/routes/admin/userGET.js
index 30c79f4..2fb80d1 100644
--- a/src/api/routes/admin/userGET.js
+++ b/src/api/routes/admin/userGET.js
@@ -11,7 +11,10 @@ class usersGET extends Route {
 		if (!id) return res.status(400).json({ message: 'Invalid user ID supplied' });
 
 		try {
-			const user = await db.table('users').where({ id }).first();
+			const user = await db.table('users')
+				.select('id, username, enabled, createdAt, editeadAt, apiKeyEditedAt, isAdmin')
+				.where({ id })
+				.first();
 			const files = await db.table('files')
 				.where({ userId: user.id })
 				.orderBy('id', 'desc');
-- 
cgit v1.2.3