From 0536b208e1c31d5c9911d231413f2d1a66683f70 Mon Sep 17 00:00:00 2001
From: Toby Zerner <toby.zerner@gmail.com>
Date: Fri, 9 Nov 2018 21:21:21 +1030
Subject: [PATCH] Fix leak of private information when updating users

---
 src/Api/Controller/UpdateUserController.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/Api/Controller/UpdateUserController.php b/src/Api/Controller/UpdateUserController.php
index d11e07e68..a1865f3ab 100644
--- a/src/Api/Controller/UpdateUserController.php
+++ b/src/Api/Controller/UpdateUserController.php
@@ -11,6 +11,8 @@
 
 namespace Flarum\Api\Controller;
 
+use Flarum\Api\Serializer\CurrentUserSerializer;
+use Flarum\Api\Serializer\UserSerializer;
 use Flarum\Core\Command\EditUser;
 use Flarum\Core\Exception\PermissionDeniedException;
 use Illuminate\Contracts\Bus\Dispatcher;
@@ -22,7 +24,7 @@ class UpdateUserController extends AbstractResourceController
     /**
      * {@inheritdoc}
      */
-    public $serializer = 'Flarum\Api\Serializer\CurrentUserSerializer';
+    public $serializer = UserSerializer::class;
 
     /**
      * {@inheritdoc}
@@ -51,6 +53,10 @@ class UpdateUserController extends AbstractResourceController
         $actor = $request->getAttribute('actor');
         $data = array_get($request->getParsedBody(), 'data', []);
 
+        if ($actor->id == $id) {
+            $this->serializer = CurrentUserSerializer::class;
+        }
+
         // Require the user's current password if they are attempting to change
         // their own email address.
         if (isset($data['attributes']['email']) && $actor->id == $id) {