From 74e80fbfa5cb6fed60d4e556e33cbcbf9388f16c Mon Sep 17 00:00:00 2001
From: MathiasDPX <mathias@dupeux.net>
Date: Fri, 26 Sep 2025 18:52:35 +0200
Subject: [PATCH] fix: allow_public_stats_lookup was ignored

---
 app/controllers/api/v1/stats_controller.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/controllers/api/v1/stats_controller.rb b/app/controllers/api/v1/stats_controller.rb
index f275b52f..65f9375f 100644
--- a/app/controllers/api/v1/stats_controller.rb
+++ b/app/controllers/api/v1/stats_controller.rb
@@ -34,6 +34,10 @@ def user_stats
 
     return render json: { error: "User not found" }, status: :not_found unless @user.present?
 
+    if !@user.allow_public_stats_lookup && (!current_user || current_user != @user)
+      return render json: { error: "user has disabled public stats" }, status: :forbidden
+    end
+
     start_date = params[:start_date].to_datetime if params[:start_date].present?
     start_date ||= 10.years.ago
     end_date = params[:end_date].to_datetime if params[:end_date].present?