From ebcc1734964f9b3059cdf37874dcd71563402d3b Mon Sep 17 00:00:00 2001
From: Franz Liedke <franz@develophp.org>
Date: Fri, 9 Nov 2018 11:39:20 +0100
Subject: [PATCH] Fix leak of private information when updating users

Fixes #1628.
---
 framework/core/src/Api/Controller/UpdateUserController.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/framework/core/src/Api/Controller/UpdateUserController.php b/framework/core/src/Api/Controller/UpdateUserController.php
index 92781c85b..eb6aa80d8 100644
--- a/framework/core/src/Api/Controller/UpdateUserController.php
+++ b/framework/core/src/Api/Controller/UpdateUserController.php
@@ -12,6 +12,7 @@
 namespace Flarum\Api\Controller;
 
 use Flarum\Api\Serializer\CurrentUserSerializer;
+use Flarum\Api\Serializer\UserSerializer;
 use Flarum\User\Command\EditUser;
 use Flarum\User\Exception\PermissionDeniedException;
 use Illuminate\Contracts\Bus\Dispatcher;
@@ -23,7 +24,7 @@ class UpdateUserController extends AbstractShowController
     /**
      * {@inheritdoc}
      */
-    public $serializer = CurrentUserSerializer::class;
+    public $serializer = UserSerializer::class;
 
     /**
      * {@inheritdoc}
@@ -52,6 +53,10 @@ class UpdateUserController extends AbstractShowController
         $actor = $request->getAttribute('actor');
         $data = array_get($request->getParsedBody(), 'data', []);
 
+        if ($actor->id == $id) {
+            $this->serializer = CurrentUserSerializer::class;
+        }
+
         // Require the user's current password if they are attempting to change
         // their own email address.
         if (isset($data['attributes']['email']) && $actor->id == $id) {