From d96286d7716781bd4be4a41ec5a587211ded6e71 Mon Sep 17 00:00:00 2001
From: sbwalker <shaun.walker@siliqon.com>
Date: Wed, 27 Nov 2024 13:15:43 -0500
Subject: [PATCH] User Settings should only be accessible to individual users
 or administrators

---
 Oqtane.Server/Controllers/UserController.cs | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/Oqtane.Server/Controllers/UserController.cs b/Oqtane.Server/Controllers/UserController.cs
index 283ccf91d..b63f644b9 100644
--- a/Oqtane.Server/Controllers/UserController.cs
+++ b/Oqtane.Server/Controllers/UserController.cs
@@ -145,20 +145,7 @@ private User Filter(User user)
                     filtered.DeletedBy = user.DeletedBy;
                     filtered.DeletedOn = user.DeletedOn;
                     filtered.IsDeleted = user.IsDeleted;
-                }
-
-                // if authenticated user is accessing their own user account
-                if (_userPermissions.GetUser(User).UserId == user.UserId)
-                {
-                    // include all settings
-                    filtered.Settings = user.Settings;
-                }
-                else
-                {
-                    // include only public settings
-                    filtered.Settings = _settings.GetSettings(EntityNames.User, user.UserId)
-                        .Where(item => !item.IsPrivate)
-                        .ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
+                    filtered.Settings = user.Settings; // include all settings
                 }
             }