From abc58e74828ef6c37cce2b53086c323059ab844c Mon Sep 17 00:00:00 2001
From: Alexander Sulfrian <alexander@sulfrian.net>
Date: Thu, 21 Apr 2016 19:24:42 +0200
Subject: Do not publish the whole user doc of board members (#579)

The user document contains hashed passwords and hashed resume tokens.
We should only publish the required bits.
---
 server/publications/boards.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'server')

diff --git a/server/publications/boards.js b/server/publications/boards.js
index 0446a647..cd3ef238 100644
--- a/server/publications/boards.js
+++ b/server/publications/boards.js
@@ -105,7 +105,11 @@ Meteor.publishRelations('board', function(boardId) {
     //
     this.cursor(Users.find({
       _id: { $in: _.pluck(board.members, 'userId') },
-    }), function(userId) {
+    }, { fields: {
+      'username': 1,
+      'profile.fullname': 1,
+      'profile.avatarUrl': 1,
+    }}), function(userId) {
       // Presence indicators
       this.cursor(presences.find({ userId }));
     });
-- 
cgit v1.2.3-1-g7c22