Do not publish the whole user doc of board members (#579)

The user document contains hashed passwords and hashed resume tokens. We should only publish the required bits.
author: Alexander Sulfrian <alexander@sulfrian.net> 2016-04-21 19:24:42 +0200
committer: Maxime Quandalle <maxime@quandalle.com> 2016-04-21 19:24:42 +0200
commit: abc58e74828ef6c37cce2b53086c323059ab844c (patch)
tree: 8cdea240ed9a29bfbb03a498f52e892742e9439b
parent: 3a0a9fa0090b1090457ad533a63c2217be1b1c3a (diff)
download: wekan-abc58e74828ef6c37cce2b53086c323059ab844c.tar.gz
wekan-abc58e74828ef6c37cce2b53086c323059ab844c.tar.bz2
wekan-abc58e74828ef6c37cce2b53086c323059ab844c.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/server/publications/boards.js b/server/publications/boards.js
index 0446a647..cd3ef238 100644
--- a/server/publications/boards.js
+++ b/server/publications/boards.js
@@ -105,7 +105,11 @@ Meteor.publishRelations('board', function(boardId) {
     //
     this.cursor(Users.find({
       _id: { $in: _.pluck(board.members, 'userId') },
-    }), function(userId) {
+    }, { fields: {
+      'username': 1,
+      'profile.fullname': 1,
+      'profile.avatarUrl': 1,
+    }}), function(userId) {
       // Presence indicators
       this.cursor(presences.find({ userId }));
     });
author	Alexander Sulfrian <alexander@sulfrian.net>	2016-04-21 19:24:42 +0200
committer	Maxime Quandalle <maxime@quandalle.com>	2016-04-21 19:24:42 +0200
commit	abc58e74828ef6c37cce2b53086c323059ab844c (patch)
tree	8cdea240ed9a29bfbb03a498f52e892742e9439b
parent	3a0a9fa0090b1090457ad533a63c2217be1b1c3a (diff)
download	wekan-abc58e74828ef6c37cce2b53086c323059ab844c.tar.gz wekan-abc58e74828ef6c37cce2b53086c323059ab844c.tar.bz2 wekan-abc58e74828ef6c37cce2b53086c323059ab844c.zip