diff options
author | Alexander Sulfrian <alexander@sulfrian.net> | 2016-04-21 19:24:42 +0200 |
---|---|---|
committer | Maxime Quandalle <maxime@quandalle.com> | 2016-04-21 19:24:42 +0200 |
commit | abc58e74828ef6c37cce2b53086c323059ab844c (patch) | |
tree | 8cdea240ed9a29bfbb03a498f52e892742e9439b | |
parent | 3a0a9fa0090b1090457ad533a63c2217be1b1c3a (diff) | |
download | wekan-abc58e74828ef6c37cce2b53086c323059ab844c.tar.gz wekan-abc58e74828ef6c37cce2b53086c323059ab844c.tar.bz2 wekan-abc58e74828ef6c37cce2b53086c323059ab844c.zip |
Do not publish the whole user doc of board members (#579)
The user document contains hashed passwords and hashed resume tokens.
We should only publish the required bits.
-rw-r--r-- | server/publications/boards.js | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/server/publications/boards.js b/server/publications/boards.js index 0446a647..cd3ef238 100644 --- a/server/publications/boards.js +++ b/server/publications/boards.js @@ -105,7 +105,11 @@ Meteor.publishRelations('board', function(boardId) { // this.cursor(Users.find({ _id: { $in: _.pluck(board.members, 'userId') }, - }), function(userId) { + }, { fields: { + 'username': 1, + 'profile.fullname': 1, + 'profile.avatarUrl': 1, + }}), function(userId) { // Presence indicators this.cursor(presences.find({ userId })); }); |