feat: only return essential fields for the user endpoints when used by client
This commit is contained in:
@@ -76,6 +76,9 @@ export async function getUserHandler(req: FastifyRequest, res: FastifyReply) {
|
|||||||
if (user == null)
|
if (user == null)
|
||||||
return res.code(404).send({ error: "resource not found" });
|
return res.code(404).send({ error: "resource not found" });
|
||||||
|
|
||||||
|
if (req.user.role == "client" && user.orgId.toString() != req.user.orgId)
|
||||||
|
return res.code(404).send({ error: "resource not found" });
|
||||||
|
|
||||||
return res.code(200).send(user);
|
return res.code(200).send(user);
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
return err;
|
return err;
|
||||||
|
|||||||
@@ -157,9 +157,7 @@ export async function listUsers(user: AuthenticatedUser) {
|
|||||||
{ dev: { $ne: true } },
|
{ dev: { $ne: true } },
|
||||||
],
|
],
|
||||||
})
|
})
|
||||||
.select(
|
.select("_id pid orgId firstName lastName name email avatar")
|
||||||
"_id pid orgId firstName lastName name email role avatar status createdAt createdBy lastLogin blocked failedLoginCount"
|
|
||||||
)
|
|
||||||
.populate({ path: "orgId", select: "_id pid name avatar" })
|
.populate({ path: "orgId", select: "_id pid name avatar" })
|
||||||
.populate({ path: "createdBy", select: "_id pid name avatar" });
|
.populate({ path: "createdBy", select: "_id pid name avatar" });
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user