fix: don't expose scope for non-admin users

filebrowser · Feb 21, 2022 · 0942fc7 · 0942fc7
1 parent c198723
commit 0942fc7
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/http/users.go b/http/users.go
@@ -94,6 +94,9 @@ var userGetHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
 	}
 
 	u.Password = ""
+	if !u.Perm.Admin {
+		u.Scope = ""
+	}
 	return renderJSON(w, r, u)
 })