return stub user from users/show to unauthorized clients

packages/backend/src/server/api/endpoints/users/show.ts

@@ -16,12 +16,13 @@ import { RoleService } from '@/core/RoleService.js';
 import { ApiError } from '../../error.js';
 import { ApiLoggerService } from '../../ApiLoggerService.js';
 import type { FindOptionsWhere } from 'typeorm';
+import type { Config } from '@/config.js';
 
 export const meta = {
 	tags: ['users'],
 
 	requireCredential: false,
-	requireCredentialSecureMode: true,
+	requireCredentialSecureMode: false, // Handle secure mode below
 
 	description: 'Show the properties of a user.',
 
@@ -83,6 +84,9 @@ export const paramDef = {
 @Injectable()
 export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
 	constructor(
+		@Inject(DI.config)
+		private config: Config,
+
 		@Inject(DI.usersRepository)
 		private usersRepository: UsersRepository,
 
@@ -148,8 +152,10 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 					}
 				}
 
+				const allowRequest = me != null || !this.config.secureApiMode;
+
 				return await this.userEntityService.pack(user, me, {
-					schema: 'UserDetailed',
+					schema: allowRequest ? 'UserDetailed' : 'UserLogin',
 				});
 			}
 		});