From 5bee324c6a2e6e5a2ba4693f5603c8f1918152d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Fri, 12 Apr 2024 16:25:24 -0400
Subject: [PATCH] fix: add canView check to /api/v3/users/:uid

---
 src/api/users.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/api/users.js b/src/api/users.js
index 7c8a725019..2bd4779409 100644
--- a/src/api/users.js
+++ b/src/api/users.js
@@ -41,6 +41,10 @@ usersAPI.create = async function (caller, data) {
 };
 
 usersAPI.get = async (caller, { uid }) => {
+	const canView = await privileges.global.can('view:users', caller.uid);
+	if (!canView) {
+		throw new Error('[[error:no-privileges]]');
+	}
 	const userData = await user.getUserData(uid);
 	return await user.hidePrivateData(userData, caller.uid);
 };