Merge commit from fork

Add ownership check to GET /api/v1/user/:id so the full user object(including eager-loaded settings with notification credentials) is onlyreturned to the user themselves or MANAGE_USERS admins. All otherauthenticated users receive a stripped response (which is the intended behaviour as https://github.com/sct/overseerr/pull/3695#issuecomment-1817827774). Also expands User.filteredFields to strip sensitive fileds to prevent leaking credentials
2026-02-27 21:58:28 +05:00
parent 4ae2068409
commit 4f089b29d0
2 changed files with 14 additions and 5 deletions
--- a/server/entity/User.ts
+++ b/server/entity/User.ts
@@ -39,7 +39,16 @@ export class User {
    return users.map((u) => u.filter(showFiltered));
  }

-  static readonly filteredFields: string[] = ['email', 'plexId'];
+  static readonly filteredFields: string[] = [
+    'email',
+    'plexId',
+    'password',
+    'resetPasswordGuid',
+    'jellyfinDeviceId',
+    'jellyfinAuthToken',
+    'plexToken',
+    'settings',
+  ];

  public displayName: string;

--- a/server/routes/user/index.ts
+++ b/server/routes/user/index.ts
@@ -355,14 +355,14 @@ router.delete<{ userId: number; endpoint: string }>(
 router.get<{ id: string }>('/:id', async (req, res, next) => {
  try {
    const userRepository = getRepository(User);
-
    const user = await userRepository.findOneOrFail({
      where: { id: Number(req.params.id) },
    });

-    return res
-      .status(200)
-      .json(user.filter(req.user?.hasPermission(Permission.MANAGE_USERS)));
+    const isOwnProfile = req.user?.id === user.id;
+    const isAdmin = req.user?.hasPermission(Permission.MANAGE_USERS);
+
+    return res.status(200).json(user.filter(isOwnProfile || isAdmin));
  } catch (e) {
    next({ status: 404, message: 'User not found.' });
  }