refactor: cleans up and removes unncessary console.log statement

fix(middleware): enhanced user privacy on profile pages
Addresses a security vulnerability where the `/users/[:id]` route was accessible to users without the necessary permissions. Adds middleware that protects that route so that only authenticated users with the MANAGE_USERS and VIEW_WATCHLIST permissions can access other user's profile pages as intended. fix #569
2025-12-24 10:49:30 -05:00 · 2023-11-19 10:28:14 +05:00 · 2023-11-19 10:21:57 +05:00
1 changed files with 16 additions and 12 deletions
--- a/server/routes/user/index.ts
+++ b/server/routes/user/index.ts
@@ -182,21 +182,25 @@ router.post<
  }
 });

-router.get<{ id: string }>('/:id', async (req, res, next) => {
-  try {
-    const userRepository = getRepository(User);
+router.get<{ id: string }>(
+  '/:id',
+  isAuthenticated([Permission.MANAGE_USERS, Permission.WATCHLIST_VIEW]),
+  async (req, res, next) => {
+    try {
+      const userRepository = getRepository(User);

-    const user = await userRepository.findOneOrFail({
-      where: { id: Number(req.params.id) },
-    });
+      const user = await userRepository.findOneOrFail({
+        where: { id: Number(req.params.id) },
+      });

-    return res
-      .status(200)
-      .json(user.filter(req.user?.hasPermission(Permission.MANAGE_USERS)));
-  } catch (e) {
-    next({ status: 404, message: 'User not found.' });
+      return res
+        .status(200)
+        .json(user.filter(req.user?.hasPermission(Permission.MANAGE_USERS)));
+    } catch (e) {
+      next({ status: 404, message: 'User not found.' });
+    }
  }
-});
+);

 router.use('/:id/settings', userSettingsRoutes);