Backend endpoints ignore "Hide responses from respondents" setting, exposing all respondents' data #199
Description
When you enable "Hide responses from respondents" (blindAvailabilityEnabled), the backend still returns all respondents' data. The frontend filters it client-side, but anyone can see everything by checking network requests or calling the APIs directly.
Two endpoints are affected:
-
GET /api/events/{eventId} (getEvent function in server/routes/events.go)
- Returns all responses with full user details (firstName, lastName, _id, email, etc.) even when blindAvailabilityEnabled is true
- No check for the privacy setting at all
-
GET /api/events/{eventId}/responses (getResponses function in server/routes/events.go)
- Returns all responses with userId fields and each user's availability even when blindAvailabilityEnabled is true
- You can map these userIds to the user details from the first endpoint
(both these endpoints are called whenever the Event.vue component is created/mounted)
The frontend does filter responses in ScheduleOverlap.vue (around line 1776), but that's just hiding it in the UI. All the data is still being sent over the network.
Expected behavior: When blindAvailabilityEnabled is true and you're not the event owner, you should only see your own response, not everyone else's.
I'm happy to work on fixing this - it should be a backend change to filter responses before returning them based on whether the requester is the owner and whether privacy is enabled.