Do not show suspended users to non admins (#3776)

2022-07-13 09:59:06 +02:00
parent dd6084d044
commit 973cfc3fa3
3 changed files with 75 additions and 37 deletions
--- a/server/routes/api/users.ts
+++ b/server/routes/api/users.ts
@@ -44,6 +44,16 @@ router.post("users.list", auth(), pagination(), async (ctx) => {
    teamId: actor.teamId,
  };

+  // Filter out suspended users if we're not an admin
+  if (!actor.isAdmin) {
+    where = {
+      ...where,
+      suspendedAt: {
+        [Op.eq]: null,
+      },
+    };
+  }
+
  switch (filter) {
    case "invited": {
      where = { ...where, lastActiveAt: null };
@@ -61,12 +71,14 @@ router.post("users.list", auth(), pagination(), async (ctx) => {
    }

    case "suspended": {
-      where = {
-        ...where,
-        suspendedAt: {
-          [Op.ne]: null,
-        },
-      };
+      if (actor.isAdmin) {
+        where = {
+          ...where,
+          suspendedAt: {
+            [Op.ne]: null,
+          },
+        };
+      }
      break;
    }