From ffa56e6c8167ae0f63886efb0f6bf5a381c52b98 Mon Sep 17 00:00:00 2001
From: Elliot DeNolf <denolfe@gmail.com>
Date: Mon, 26 Oct 2020 20:20:36 -0400
Subject: [PATCH] fix: /me only works on current user's collection

---
 src/auth/operations/me.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/auth/operations/me.js b/src/auth/operations/me.js
index 65471b0191..2a5a4ed690 100644
--- a/src/auth/operations/me.js
+++ b/src/auth/operations/me.js
@@ -1,11 +1,20 @@
 const jwt = require('jsonwebtoken');
+const httpStatus = require('http-status');
 const getExtractJWT = require('../getExtractJWT');
 
+const { APIError } = require('../../errors');
+
 async function me({ req }) {
   const extractJWT = getExtractJWT(this.config);
 
   if (req.user) {
+    const requestedSlug = req.route.path.split('/').filter((r) => r !== '')[0];
     const user = { ...req.user };
+
+    if (user.collection !== requestedSlug) {
+      throw new APIError('Incorrect collection', httpStatus.FORBIDDEN);
+    }
+
     delete user.collection;
 
     const response = {