fix(middleware): enhanced user privacy on profile pages

Addresses a security vulnerability where the `/users/[:id]` route was accessible to users without the necessary permissions. Adds middleware that protects that route so that only authenticated users with the `MANAGE_USERS` and `VIEW_WATCHLIST` permissions can access other user's profile pages as intended.
7 months ago · d573a2c5a1
parent be047427df
commit d573a2c5a1
1 changed files with 16 additions and 12 deletions
--- a/server/routes/user/index.ts
+++ b/server/routes/user/index.ts
@ -180,21 +180,25 @@ router.post<
  }
 });

-router.get<{ id: string }>('/:id', async (req, res, next) => {
-  try {
-    const userRepository = getRepository(User);
+router.get<{ id: string }>(
+  '/:id',
+  isAuthenticated([Permission.MANAGE_USERS, Permission.WATCHLIST_VIEW]),
+  async (req, res, next) => {
+    try {
+      const userRepository = getRepository(User);

-    const user = await userRepository.findOneOrFail({
-      where: { id: Number(req.params.id) },
-    });
+      const user = await userRepository.findOneOrFail({
+        where: { id: Number(req.params.id) },
+      });

-    return res
-      .status(200)
-      .json(user.filter(req.user?.hasPermission(Permission.MANAGE_USERS)));
-  } catch (e) {
-    next({ status: 404, message: 'User not found.' });
+      return res
+        .status(200)
+        .json(user.filter(req.user?.hasPermission(Permission.MANAGE_USERS)));
+    } catch (e) {
+      next({ status: 404, message: 'User not found.' });
+    }
  }
-});
+);

 router.use('/:id/settings', userSettingsRoutes);