fix: wrong validation on parseJsonQuery

d-gubert · d-gubert · commit 66a091799ebc · 2025-12-11T18:00:37.000-03:00
diff --git a/apps/meteor/app/api/server/helpers/parseJsonQuery.ts b/apps/meteor/app/api/server/helpers/parseJsonQuery.ts
@@ -31,10 +31,6 @@ export async function parseJsonQuery(api: GenericRouteExecutionContext): Promise
 	const queryFields = Array.isArray(api.queryFields) ? (api.queryFields as string[]) : [];
 	const queryOperations = Array.isArray(api.queryOperations) ? (api.queryOperations as string[]) : [];
 
-	if (!userId) {
-		throw new Meteor.Error('error-invalid-user', 'Invalid user');
-	}
-
 	let sort;
 	if (typeof params?.sort === 'string') {
 		try {
@@ -101,6 +97,10 @@ export async function parseJsonQuery(api: GenericRouteExecutionContext): Promise
 	// Limit the fields by default
 	fields = Object.assign({}, fields, API.v1.defaultFieldsToExclude);
 	if (route.includes('/v1/users.')) {
+		if (!userId) {
+			throw new Meteor.Error('error-invalid-user', 'Invalid user');
+		}
+
 		if (await hasPermissionAsync(userId, 'view-full-other-user-info')) {
 			fields = Object.assign(fields, API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser);
 		} else {
