- Security Fix: Do not publish all of people collection.

Thanks to Adrian Genaid !
wekan · Jun 12, 2018 · dda49d2 · dda49d2
1 parent 53bd527
commit dda49d2
Showing 1 changed file with 23 additions and 5 deletions.
diff --git a/server/publications/people.js b/server/publications/people.js
@@ -1,7 +1,25 @@
-Meteor.publish('people', (limit) => {
+Meteor.publish('people', function(limit) {
   check(limit, Number);
-  return Users.find({}, {
-    limit,
-    sort: {createdAt: -1},
-  });
+
+  if (!Match.test(this.userId, String)) {
+    return [];
+  }
+
+  const user = Users.findOne(this.userId);
+  if (user && user.isAdmin) {
+    return Users.find({}, {
+      limit,
+      sort: {createdAt: -1},
+      fields: {
+        'username': 1,
+        'profile.fullname': 1,
+        'isAdmin': 1,
+        'emails': 1,
+        'createdAt': 1,
+        'loginDisabled': 1,
+      },
+    });
+  } else {
+    return [];
+  }
 });