From d2af6893066bade34f5c6ae94274ce65bfac7ac5 Mon Sep 17 00:00:00 2001
From: Akhil Meka <akhil.reddy@qualyval.com>
Date: Tue, 2 Sep 2025 19:57:41 +0530
Subject: [PATCH] feat: only return essential fields for the user endpoints
 when used by client

---
 src/user/user.controller.ts | 3 +++
 src/user/user.service.ts    | 4 +---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/user/user.controller.ts b/src/user/user.controller.ts
index c6b7e6e..bb7663a 100644
--- a/src/user/user.controller.ts
+++ b/src/user/user.controller.ts
@@ -76,6 +76,9 @@ export async function getUserHandler(req: FastifyRequest, res: FastifyReply) {
     if (user == null)
       return res.code(404).send({ error: "resource not found" });
 
+    if (req.user.role == "client" && user.orgId.toString() != req.user.orgId)
+      return res.code(404).send({ error: "resource not found" });
+
     return res.code(200).send(user);
   } catch (err) {
     return err;
diff --git a/src/user/user.service.ts b/src/user/user.service.ts
index 6849c52..00f557c 100644
--- a/src/user/user.service.ts
+++ b/src/user/user.service.ts
@@ -157,9 +157,7 @@ export async function listUsers(user: AuthenticatedUser) {
           { dev: { $ne: true } },
         ],
       })
-      .select(
-        "_id pid orgId firstName lastName name email role avatar status createdAt createdBy lastLogin blocked failedLoginCount"
-      )
+      .select("_id pid orgId firstName lastName name email avatar")
       .populate({ path: "orgId", select: "_id pid name avatar" })
       .populate({ path: "createdBy", select: "_id pid name avatar" });
   }