From 7875b11b474ed545fbd7fd84b0abd684b1184129 Mon Sep 17 00:00:00 2001
From: Andrew Rodrigues <rodrigues.andrew@gmail.com>
Date: Thu, 24 Jan 2019 15:58:18 -0500
Subject: [PATCH 1/2] bump composer / persona

---
 install/package.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/install/package.json b/install/package.json
index ff763fbf7b..40db66a770 100644
--- a/install/package.json
+++ b/install/package.json
@@ -80,7 +80,7 @@
         "mousetrap": "^1.6.1",
         "mubsub-nbb": "^1.5.0",
         "nconf": "^0.10.0",
-        "nodebb-plugin-composer-default": "6.1.21",
+        "nodebb-plugin-composer-default": "6.1.22",
         "nodebb-plugin-dbsearch": "3.0.4",
         "nodebb-plugin-emoji": "^2.2.5",
         "nodebb-plugin-emoji-android": "2.0.0",
@@ -90,7 +90,7 @@
         "nodebb-plugin-spam-be-gone": "0.5.5",
         "nodebb-rewards-essentials": "0.0.13",
         "nodebb-theme-lavender": "5.0.8",
-        "nodebb-theme-persona": "9.1.11",
+        "nodebb-theme-persona": "9.1.14",
         "nodebb-theme-slick": "1.2.19",
         "nodebb-theme-vanilla": "10.1.16",
         "nodebb-widget-essentials": "4.0.12",

From 808c4909a4f5cb80d579936197e621a11b6561cf Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 10 Apr 2019 13:55:53 -0400
Subject: [PATCH 2/2] fix: #6438 only apply whitelist when fields request empty
 (#7528)

* fix: #6438 only apply whitelist when fields request empty

* feat: explicit password retrieval denied via getUsersFields
---
 src/user/data.js | 15 ++++-----------
 test/user.js     |  8 ++++++++
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/src/user/data.js b/src/user/data.js
index 3ad1db6433..571482be0b 100644
--- a/src/user/data.js
+++ b/src/user/data.js
@@ -3,7 +3,6 @@
 var async = require('async');
 var validator = require('validator');
 var nconf = require('nconf');
-var winston = require('winston');
 var _ = require('lodash');
 
 var db = require('../database');
@@ -85,17 +84,11 @@ module.exports = function (User) {
 				plugins.fireHook('filter:user.whitelistFields', { uids: uids, whitelist: fieldWhitelist.slice() }, next);
 			},
 			function (results, next) {
-				if (fields.length) {
-					const whitelistSet = new Set(results.whitelist);
-					fields = fields.filter(function (field) {
-						var isFieldWhitelisted = field && whitelistSet.has(field);
-						if (!isFieldWhitelisted) {
-							winston.verbose('[user/getUsersFields] ' + field + ' removed because it is not whitelisted, see `filter:user.whitelistFields`');
-						}
-						return isFieldWhitelisted;
-					});
-				} else {
+				if (!fields.length) {
 					fields = results.whitelist;
+				} else {
+					// Never allow password retrieval via this method
+					fields = fields.filter(value => value !== 'password');
 				}
 
 				db.getObjectsFields(uidsToUserKeys(uniqueUids), fields, next);
diff --git a/test/user.js b/test/user.js
index 857f909a5a..77fd9428a2 100644
--- a/test/user.js
+++ b/test/user.js
@@ -578,6 +578,14 @@ describe('User', function () {
 			});
 		});
 
+		it('should not return password even if explicitly requested', function (done) {
+			User.getUserFields(testUid, ['password'], function (err, payload) {
+				assert.ifError(err);
+				assert(!payload.hasOwnProperty('password'));
+				done();
+			});
+		});
+
 		it('should return private data if field is whitelisted', function (done) {
 			function filterMethod(data, callback) {
 				data.whitelist.push('another_secret');