fix: stop leaking user passwords to admins AGAIN

2020-07-10 01:13:23 +03:00 · 2020-07-10 01:13:23 +03:00 · 7e78a03931
parent fd3f6de51a
commit 7e78a03931
2 changed files with 5 additions and 2 deletions
--- a/src/api/routes/admin/fileGET.js
+++ b/src/api/routes/admin/fileGET.js
@ -11,7 +11,10 @@ class filesGET extends Route {
 		if (!id) return res.status(400).json({ message: 'Invalid file ID supplied' });

 		let file = await db.table('files').where({ id }).first();
-		const user = await db.table('users').where({ id: file.userId }).first();
+		const user = await db.table('users')
+			.select('id', 'username', 'enabled', 'createdAt', 'editedAt', 'apiKeyEditedAt', 'isAdmin')
+			.where({ id: file.userId })
+			.first();
 		file = Util.constructFilePublicLink(file);

 		// Additional relevant data
--- a/src/api/routes/admin/userGET.js
+++ b/src/api/routes/admin/userGET.js
@ -12,7 +12,7 @@ class usersGET extends Route {

 		try {
 			const user = await db.table('users')
-				.select('id, username, enabled, createdAt, editeadAt, apiKeyEditedAt, isAdmin')
+				.select('id', 'username', 'enabled', 'createdAt', 'editedAt', 'apiKeyEditedAt', 'isAdmin')
 				.where({ id })
 				.first();
 			const files = await db.table('files')