Bug Description
On the settings page you can toggle which widgets show up on your public profile (/u/[username]) — streak, contributions, languages, PRs. Problem is, that toggle only controls what the page renders. If you just hit the API directly (/api/public/[username]), you get back every single stat regardless of what you've turned off. So if someone unchecks "languages" because they don't want people seeing what they've been coding in, that data's still sitting right there for anyone who opens dev tools or just calls the endpoint themselves.
Basically the privacy setting is cosmetic. It looks like it's hiding your data but it's really just telling the frontend "don't draw this box," while the API keeps handing it out anyway.
Steps to Reproduce
- Log in, go to Settings, and turn off one of the public widgets — say, "Languages."
- Save, then visit your own public profile page /u/yourusername and confirm the Languages card is gone.
- Now open a new tab (or just use curl) and hit /api/public/yourusername directly.
- Look at the JSON — topLanguages is right there in full, same as if you'd never turned it off.
Affected Area
Settings
Screenshots
No response
Browser & OS
Chrome 126 on Windows 11
Environment
None
Additional Context
Relevant files: src/lib/public-profile-data.ts (the fetchPublicProfile function builds and returns all fields no matter what), and src/app/u/[username]/page.tsx (where the actual filtering happens, but only for rendering line ~225, widgets.includes("languages") etc).
The fix should be moving that filter server-side, into fetchPublicProfile (or right before the route returns), so disabled widgets get stripped from the payload itself.
Bug Description
On the settings page you can toggle which widgets show up on your public profile (/u/[username]) — streak, contributions, languages, PRs. Problem is, that toggle only controls what the page renders. If you just hit the API directly (/api/public/[username]), you get back every single stat regardless of what you've turned off. So if someone unchecks "languages" because they don't want people seeing what they've been coding in, that data's still sitting right there for anyone who opens dev tools or just calls the endpoint themselves.
Basically the privacy setting is cosmetic. It looks like it's hiding your data but it's really just telling the frontend "don't draw this box," while the API keeps handing it out anyway.
Steps to Reproduce
Affected Area
Settings
Screenshots
No response
Browser & OS
Chrome 126 on Windows 11
Environment
None
Additional Context
Relevant files: src/lib/public-profile-data.ts (the fetchPublicProfile function builds and returns all fields no matter what), and src/app/u/[username]/page.tsx (where the actual filtering happens, but only for rendering line ~225, widgets.includes("languages") etc).
The fix should be moving that filter server-side, into fetchPublicProfile (or right before the route returns), so disabled widgets get stripped from the payload itself.