feat(users): prevent route leaking access token (#1417)

The test for authentication use a route /api/users/me. This should probably be upgraded to use a proper passport mock. In the meanwhile this should make the returned user object safer - using code from core. Fixes n/a
2026-02-06 22:49:24 +01:00 · 2016-08-31 20:50:23 +01:00
parent 55525bdf31
commit 54ae7dc564
2 changed files with 23 additions and 4 deletions
--- a/modules/users/server/controllers/admin.server.controller.js
+++ b/modules/users/server/controllers/admin.server.controller.js
@@ -59,7 +59,7 @@ exports.delete = function (req, res) {
 * List of Users
 */
 exports.list = function (req, res) {
-  User.find({}, '-salt -password').sort('-created').populate('user', 'displayName').exec(function (err, users) {
+  User.find({}, '-salt -password -providerData').sort('-created').populate('user', 'displayName').exec(function (err, users) {
    if (err) {
      return res.status(400).send({
        message: errorHandler.getErrorMessage(err)
@@ -80,7 +80,7 @@ exports.userByID = function (req, res, next, id) {
    });
  }

-  User.findById(id, '-salt -password').exec(function (err, user) {
+  User.findById(id, '-salt -password -providerData').exec(function (err, user) {
    if (err) {
      return next(err);
    } else if (!user) {