From dda49d2f07f9c50d5d57acfd5c7eee6492f93b33 Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Tue, 12 Jun 2018 21:13:50 +0300
Subject: - Security Fix: Do not publish all of people collection.

Thanks to Adrian Genaid !
---
 server/publications/people.js | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/server/publications/people.js b/server/publications/people.js
index f3c2bdfe..7c13bdcc 100644
--- a/server/publications/people.js
+++ b/server/publications/people.js
@@ -1,7 +1,25 @@
-Meteor.publish('people', (limit) => {
+Meteor.publish('people', function(limit) {
   check(limit, Number);
-  return Users.find({}, {
-    limit,
-    sort: {createdAt: -1},
-  });
+
+  if (!Match.test(this.userId, String)) {
+    return [];
+  }
+
+  const user = Users.findOne(this.userId);
+  if (user && user.isAdmin) {
+    return Users.find({}, {
+      limit,
+      sort: {createdAt: -1},
+      fields: {
+        'username': 1,
+        'profile.fullname': 1,
+        'isAdmin': 1,
+        'emails': 1,
+        'createdAt': 1,
+        'loginDisabled': 1,
+      },
+    });
+  } else {
+    return [];
+  }
 });
-- 
cgit v1.2.3-1-g7c22