Skip to content

Commit 4bc5646

Browse files
committed
Update fields returned by GET /api/v2/me
Prior to this change, the `GET /me` endpoint exposed potentially sensitive user attributes (e.g. `api_token`) as well as internal-only fields (e.g. `other_organisation`, `department_id`, `dmponline3`, etc.). Now the endpoint only returns useful information (note the language.name rather than language_id and org.name rather than org_id improvements as well).
1 parent 02b33c2 commit 4bc5646

1 file changed

Lines changed: 4 additions & 1 deletion

File tree

app/controllers/api/v2/base_api_controller.rb

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,10 @@ def heartbeat
2828

2929
# GET /me.json - recommended for doorkeeper gem
3030
def me
31-
respond_with @resource_owner
31+
render json: @resource_owner.slice(:firstname, :surname, :email).merge(
32+
organisation: @resource_owner.org.name,
33+
language: @resource_owner.language&.name
34+
)
3235
end
3336

3437
private

0 commit comments

Comments
 (0)