From 59c187f3b769550e788a5fbf8031fc59fa33b41b Mon Sep 17 00:00:00 2001
From: Gauthier Roebroeck <gauthier.roebroeck@gmail.com>
Date: Wed, 1 Sep 2021 11:56:15 +0800
Subject: [PATCH] fix(api): prevent retrieving own user activity in demo
 profile

closes #643
---
 .../kotlin/org/gotson/komga/interfaces/rest/UserController.kt    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/komga/src/main/kotlin/org/gotson/komga/interfaces/rest/UserController.kt b/komga/src/main/kotlin/org/gotson/komga/interfaces/rest/UserController.kt
index f892ca738..afdc3d5b9 100644
--- a/komga/src/main/kotlin/org/gotson/komga/interfaces/rest/UserController.kt
+++ b/komga/src/main/kotlin/org/gotson/komga/interfaces/rest/UserController.kt
@@ -161,6 +161,7 @@ class UserController(
     @RequestParam(name = "unpaged", required = false) unpaged: Boolean = false,
     @Parameter(hidden = true) page: Pageable,
   ): Page<AuthenticationActivityDto> {
+    if (demo && !principal.user.roleAdmin) throw ResponseStatusException(HttpStatus.FORBIDDEN)
     val sort =
       if (page.sort.isSorted) page.sort
       else Sort.by(Sort.Order.desc("dateTime"))