From 2da404953b2630610116078f98a201cb1a32bf4a Mon Sep 17 00:00:00 2001
From: fallenbagel <98979876+Fallenbagel@users.noreply.github.com>
Date: Sun, 19 Nov 2023 10:21:57 +0500
Subject: [PATCH] fix(middleware): enhanced user privacy on profile pages

Addresses a security vulnerability where the `/users/[:id]` route was accessible to users without
the necessary permissions. Adds middleware that protects that route so that only authenticated users
with the MANAGE_USERS and VIEW_WATCHLIST permissions can access other user's profile pages as
intended.

fix #569
---
 server/routes/user/index.ts | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/server/routes/user/index.ts b/server/routes/user/index.ts
index 9d9370cf..a3799820 100644
--- a/server/routes/user/index.ts
+++ b/server/routes/user/index.ts
@@ -182,21 +182,26 @@ router.post<
   }
 });
 
-router.get<{ id: string }>('/:id', async (req, res, next) => {
-  try {
-    const userRepository = getRepository(User);
+router.get<{ id: string }>(
+  '/:id',
+  isAuthenticated([Permission.MANAGE_USERS, Permission.WATCHLIST_VIEW]),
+  async (req, res, next) => {
+    try {
+      const userRepository = getRepository(User);
 
-    const user = await userRepository.findOneOrFail({
-      where: { id: Number(req.params.id) },
-    });
+      const user = await userRepository.findOneOrFail({
+        where: { id: Number(req.params.id) },
+      });
 
-    return res
-      .status(200)
-      .json(user.filter(req.user?.hasPermission(Permission.MANAGE_USERS)));
-  } catch (e) {
-    next({ status: 404, message: 'User not found.' });
+      return res
+        .status(200)
+        .json(user.filter(req.user?.hasPermission(Permission.MANAGE_USERS)));
+    } catch (e) {
+      console.log(e);
+      next({ status: 404, message: 'User not found.' });
+    }
   }
-});
+);
 
 router.use('/:id/settings', userSettingsRoutes);