Merge commit from fork

Add ownership check to GET /api/v1/user/:id so the full user object(including eager-loaded settings with notification credentials) is onlyreturned to the user themselves or MANAGE_USERS admins. All otherauthenticated users receive a stripped response (which is the intended behaviour as https://github.com/sct/overseerr/pull/3695#issuecomment-1817827774). Also expands User.filteredFields to strip sensitive fileds to prevent leaking credentials
2026-02-27 21:58:28 +05:00
parent 4ae2068409
commit 4f089b29d0
2 changed files with 14 additions and 5 deletions
--- a/server/entity/User.ts
+++ b/server/entity/User.ts
@@ -39,7 +39,16 @@ export class User {
    return users.map((u) => u.filter(showFiltered));
  }
-  static readonly filteredFields: string[] = ['email', 'plexId'];
+  static readonly filteredFields: string[] = [
    'email',
    'plexId',
    'password',
    'resetPasswordGuid',
    'jellyfinDeviceId',
    'jellyfinAuthToken',
    'plexToken',
    'settings',
  ];
  public displayName: string;
--- a/server/routes/user/index.ts
+++ b/server/routes/user/index.ts
@@ -355,14 +355,14 @@ router.delete<{ userId: number; endpoint: string }>(
 router.get<{ id: string }>('/:id', async (req, res, next) => {
  try {
    const userRepository = getRepository(User);
    const user = await userRepository.findOneOrFail({
      where: { id: Number(req.params.id) },
    });
-    return res
+    const isOwnProfile = req.user?.id === user.id;
-      .status(200)
+    const isAdmin = req.user?.hasPermission(Permission.MANAGE_USERS);
-      .json(user.filter(req.user?.hasPermission(Permission.MANAGE_USERS)));
+
    return res.status(200).json(user.filter(isOwnProfile || isAdmin));
  } catch (e) {
    next({ status: 404, message: 'User not found.' });
  }