From 0942fc7042fd949cce91855169d0bcf16eb75771 Mon Sep 17 00:00:00 2001
From: Oleg Lobanov <oleg@lobanov.me>
Date: Mon, 21 Feb 2022 20:17:42 +0100
Subject: [PATCH] fix: don't expose scope for non-admin users

---
 http/users.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/http/users.go b/http/users.go
index a2ec72fe..66aab7e2 100644
--- a/http/users.go
+++ b/http/users.go
@@ -94,6 +94,9 @@ var userGetHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
 	}
 
 	u.Password = ""
+	if !u.Perm.Admin {
+		u.Scope = ""
+	}
 	return renderJSON(w, r, u)
 })