Merge commit from fork

Add ownership check to GET /api/v1/user/:id so the full user object(including eager-loaded settings with notification credentials) is onlyreturned to the user themselves or MANAGE_USERS admins. All otherauthenticated users receive a stripped response (which is the intended behaviour as https://github.com/sct/overseerr/pull/3695#issuecomment-1817827774). Also expands User.filteredFields to strip sensitive fileds to prevent leaking credentials
2026-02-27 21:58:28 +05:00
parent 4ae2068409
commit 4f089b29d0
2 changed files with 14 additions and 5 deletions
--- a/server/entity/User.ts
+++ b/server/entity/User.ts
@@ -39,7 +39,16 @@ export class User {
    return users.map((u) => u.filter(showFiltered));
  }

-  static readonly filteredFields: string[] = ['email', 'plexId'];
+  static readonly filteredFields: string[] = [
+    'email',
+    'plexId',
+    'password',
+    'resetPasswordGuid',
+    'jellyfinDeviceId',
+    'jellyfinAuthToken',
+    'plexToken',
+    'settings',
+  ];

  public displayName: string;