From 4f089b29d0bb41d382168b17aa152eb5b8a25303 Mon Sep 17 00:00:00 2001 From: fallenbagel <98979876+fallenbagel@users.noreply.github.com> Date: Fri, 27 Feb 2026 21:58:28 +0500 Subject: [PATCH] Merge commit from fork Add ownership check to GET /api/v1/user/:id so the full user object(including eager-loaded settings with notification credentials) is onlyreturned to the user themselves or MANAGE_USERS admins. All otherauthenticated users receive a stripped response (which is the intended behaviour as https://github.com/sct/overseerr/pull/3695#issuecomment-1817827774). Also expands User.filteredFields to strip sensitive fileds to prevent leaking credentials --- server/entity/User.ts | 11 ++++++++++- server/routes/user/index.ts | 8 ++++---- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/server/entity/User.ts b/server/entity/User.ts index b15b6683..011b1be4 100644 --- a/server/entity/User.ts +++ b/server/entity/User.ts @@ -39,7 +39,16 @@ export class User { return users.map((u) => u.filter(showFiltered)); } - static readonly filteredFields: string[] = ['email', 'plexId']; + static readonly filteredFields: string[] = [ + 'email', + 'plexId', + 'password', + 'resetPasswordGuid', + 'jellyfinDeviceId', + 'jellyfinAuthToken', + 'plexToken', + 'settings', + ]; public displayName: string; diff --git a/server/routes/user/index.ts b/server/routes/user/index.ts index b7733c92..7ef98a4e 100644 --- a/server/routes/user/index.ts +++ b/server/routes/user/index.ts @@ -355,14 +355,14 @@ router.delete<{ userId: number; endpoint: string }>( router.get<{ id: string }>('/:id', async (req, res, next) => { try { const userRepository = getRepository(User); - const user = await userRepository.findOneOrFail({ where: { id: Number(req.params.id) }, }); - return res - .status(200) - .json(user.filter(req.user?.hasPermission(Permission.MANAGE_USERS))); + const isOwnProfile = req.user?.id === user.id; + const isAdmin = req.user?.hasPermission(Permission.MANAGE_USERS); + + return res.status(200).json(user.filter(isOwnProfile || isAdmin)); } catch (e) { next({ status: 404, message: 'User not found.' }); }