familienarchiv/frontend/src/routes/admin/users/+layout.server.ts at 393cb52178d03718abc1c937a3e209b9018c0af1 - familienarchiv - Gitea: Git with a cup of tea

marcel/familienarchiv

Files

Marcel 8fc360a596 fix(admin): guard GET /api/users/{id} with @RequirePermission(ADMIN_USER)

Fixes IDOR: the endpoint was publicly accessible to any authenticated user.
Now requires ADMIN_USER permission, matching all other user management endpoints.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-30 01:09:40 +02:00

9 lines

286 B

TypeScript

Raw Blame History

 import { createApiClient } from '$lib/api.server';
 import type { LayoutServerLoad } from './$types';
 export const load: LayoutServerLoad = async ({ fetch }) => {
 	const api = createApiClient(fetch);
 	const result = await api.GET('/api/users');
 	return { users: result.data ?? [] };
 };