chrisryn/requestarr
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
Add ownership check to GET /api/v1/user/:id so the full user object(including eager-loaded settings
with notification credentials) is onlyreturned to the user themselves or MANAGE_USERS admins. All
otherauthenticated users receive a stripped response (which is the intended behaviour as
https://github.com/sct/overseerr/pull/3695#issuecomment-1817827774). Also expands
User.filteredFields to strip sensitive fileds to prevent leaking credentials
This commit is contained in:
fallenbagel
2026-02-27 21:58:28 +05:00
committed by GitHub
parent 4ae2068409
commit 4f089b29d0
2 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
server/routes/user/index.ts
View File

@@ -355,14 +355,14 @@ router.delete<{ userId: number; endpoint: string }>(
router.get<{ id: string }>('/:id', async (req, res, next) => {
try {
const userRepository = getRepository(User);
const user = await userRepository.findOneOrFail({
where: { id: Number(req.params.id) },
});
return res
.status(200)
.json(user.filter(req.user?.hasPermission(Permission.MANAGE_USERS)));
const isOwnProfile = req.user?.id === user.id;
const isAdmin = req.user?.hasPermission(Permission.MANAGE_USERS);
return res.status(200).json(user.filter(isOwnProfile || isAdmin));
} catch (e) {
next({ status: 404, message: 'User not found.' });
}