fix: stop leaking user passwords to admins AGAIN
This commit is contained in:
parent
fd3f6de51a
commit
7e78a03931
|
@ -11,7 +11,10 @@ class filesGET extends Route {
|
|||
if (!id) return res.status(400).json({ message: 'Invalid file ID supplied' });
|
||||
|
||||
let file = await db.table('files').where({ id }).first();
|
||||
const user = await db.table('users').where({ id: file.userId }).first();
|
||||
const user = await db.table('users')
|
||||
.select('id', 'username', 'enabled', 'createdAt', 'editedAt', 'apiKeyEditedAt', 'isAdmin')
|
||||
.where({ id: file.userId })
|
||||
.first();
|
||||
file = Util.constructFilePublicLink(file);
|
||||
|
||||
// Additional relevant data
|
||||
|
|
|
@ -12,7 +12,7 @@ class usersGET extends Route {
|
|||
|
||||
try {
|
||||
const user = await db.table('users')
|
||||
.select('id, username, enabled, createdAt, editeadAt, apiKeyEditedAt, isAdmin')
|
||||
.select('id', 'username', 'enabled', 'createdAt', 'editedAt', 'apiKeyEditedAt', 'isAdmin')
|
||||
.where({ id })
|
||||
.first();
|
||||
const files = await db.table('files')
|
||||
|
|
Loading…
Reference in New Issue