From 313f9115fbd16a5ac9dcc85d870e5ef8b46bc612 Mon Sep 17 00:00:00 2001
From: MathiasDPX <56231137+MathiasDPX@users.noreply.github.com>
Date: Tue, 4 Nov 2025 20:49:07 +0100
Subject: [PATCH] fix: allow_public_stats_lookup was ignored (#545)

---
 app/controllers/api/v1/stats_controller.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/controllers/api/v1/stats_controller.rb b/app/controllers/api/v1/stats_controller.rb
index f275b52..65f9375 100644
--- a/app/controllers/api/v1/stats_controller.rb
+++ b/app/controllers/api/v1/stats_controller.rb
@@ -34,6 +34,10 @@ class Api::V1::StatsController < ApplicationController
 
     return render json: { error: "User not found" }, status: :not_found unless @user.present?
 
+    if !@user.allow_public_stats_lookup && (!current_user || current_user != @user)
+      return render json: { error: "user has disabled public stats" }, status: :forbidden
+    end
+
     start_date = params[:start_date].to_datetime if params[:start_date].present?
     start_date ||= 10.years.ago
     end_date = params[:end_date].to_datetime if params[:end_date].present?