mirror of
https://github.com/seerr-team/seerr.git
synced 2026-04-17 13:58:24 -04:00
4f089b29d0
Add ownership check to GET /api/v1/user/:id so the full user object(including eager-loaded settings with notification credentials) is onlyreturned to the user themselves or MANAGE_USERS admins. All otherauthenticated users receive a stripped response (which is the intended behaviour as https://github.com/sct/overseerr/pull/3695#issuecomment-1817827774). Also expands User.filteredFields to strip sensitive fileds to prevent leaking credentials