From 505cf4a519b62849313530670fd15b34715d35d3 Mon Sep 17 00:00:00 2001
From: eikendev <raphael@eiken.dev>
Date: Tue, 4 Aug 2020 23:38:46 +0200
Subject: [PATCH] Do not expose password hashes over API

---
 api/user.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/api/user.go b/api/user.go
index c0fdb23..bd2b5f0 100644
--- a/api/user.go
+++ b/api/user.go
@@ -138,7 +138,13 @@ func (h *UserHandler) GetUsers(ctx *gin.Context) {
 		return
 	}
 
-	ctx.JSON(http.StatusOK, &users)
+	var externalUsers []*model.ExternalUser
+
+	for _, user := range users {
+		externalUsers = append(externalUsers, user.IntoExternalUser())
+	}
+
+	ctx.JSON(http.StatusOK, &externalUsers)
 }
 
 // GetUser returns the user with the specified ID.
@@ -149,7 +155,7 @@ func (h *UserHandler) GetUser(ctx *gin.Context) {
 		return
 	}
 
-	ctx.JSON(http.StatusOK, user)
+	ctx.JSON(http.StatusOK, user.IntoExternalUser())
 }
 
 // DeleteUser deletes a user with a certain ID.