diff options
author | Lauri Ojansivu <x@xet7.org> | 2018-06-12 21:13:50 +0300 |
---|---|---|
committer | Lauri Ojansivu <x@xet7.org> | 2018-06-12 21:13:50 +0300 |
commit | dda49d2f07f9c50d5d57acfd5c7eee6492f93b33 (patch) | |
tree | 0403567c7e19853ba1ada008d8ee55fb6578fe22 | |
parent | 53bd527947f2676d27743ada0b2c2ed568d2ee83 (diff) | |
download | wekan-dda49d2f07f9c50d5d57acfd5c7eee6492f93b33.tar.gz wekan-dda49d2f07f9c50d5d57acfd5c7eee6492f93b33.tar.bz2 wekan-dda49d2f07f9c50d5d57acfd5c7eee6492f93b33.zip |
- Security Fix: Do not publish all of people collection.
Thanks to Adrian Genaid !
-rw-r--r-- | server/publications/people.js | 28 |
1 files changed, 23 insertions, 5 deletions
diff --git a/server/publications/people.js b/server/publications/people.js index f3c2bdfe..7c13bdcc 100644 --- a/server/publications/people.js +++ b/server/publications/people.js @@ -1,7 +1,25 @@ -Meteor.publish('people', (limit) => { +Meteor.publish('people', function(limit) { check(limit, Number); - return Users.find({}, { - limit, - sort: {createdAt: -1}, - }); + + if (!Match.test(this.userId, String)) { + return []; + } + + const user = Users.findOne(this.userId); + if (user && user.isAdmin) { + return Users.find({}, { + limit, + sort: {createdAt: -1}, + fields: { + 'username': 1, + 'profile.fullname': 1, + 'isAdmin': 1, + 'emails': 1, + 'createdAt': 1, + 'loginDisabled': 1, + }, + }); + } else { + return []; + } }); |