feat: only return essential fields for the user endpoints when used by client

2025-09-02 19:57:41 +05:30
parent 19ab12aab6
commit d2af689306
2 changed files with 4 additions and 3 deletions
--- a/src/user/user.controller.ts
+++ b/src/user/user.controller.ts
@@ -76,6 +76,9 @@ export async function getUserHandler(req: FastifyRequest, res: FastifyReply) {
    if (user == null)
      return res.code(404).send({ error: "resource not found" });

+    if (req.user.role == "client" && user.orgId.toString() != req.user.orgId)
+      return res.code(404).send({ error: "resource not found" });
+
    return res.code(200).send(user);
  } catch (err) {
    return err;
--- a/src/user/user.service.ts
+++ b/src/user/user.service.ts
@@ -157,9 +157,7 @@ export async function listUsers(user: AuthenticatedUser) {
          { dev: { $ne: true } },
        ],
      })
-      .select(
-        "_id pid orgId firstName lastName name email role avatar status createdAt createdBy lastLogin blocked failedLoginCount"
-      )
+      .select("_id pid orgId firstName lastName name email avatar")
      .populate({ path: "orgId", select: "_id pid name avatar" })
      .populate({ path: "createdBy", select: "_id pid name avatar" });
  }