Allow user details only for the same user or admins

src/routes/user.js

@@ -136,6 +136,8 @@ function listUser(req, res, next) {
 function info(req, res, next) {
     assert.strictEqual(typeof req.params.userId, 'string');
 
+    if (req.user.id !== req.params.userId && !req.user.admin) return next(new HttpError(403, 'Not allowed'));
+
     user.get(req.params.userId, function (error, result) {
         if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(404, 'No such user'));
         if (error) return next(new HttpError(500, error));