From 7875b11b474ed545fbd7fd84b0abd684b1184129 Mon Sep 17 00:00:00 2001 From: Andrew Rodrigues Date: Thu, 24 Jan 2019 15:58:18 -0500 Subject: [PATCH 1/2] bump composer / persona --- install/package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install/package.json b/install/package.json index ff763fbf7b..40db66a770 100644 --- a/install/package.json +++ b/install/package.json @@ -80,7 +80,7 @@ "mousetrap": "^1.6.1", "mubsub-nbb": "^1.5.0", "nconf": "^0.10.0", - "nodebb-plugin-composer-default": "6.1.21", + "nodebb-plugin-composer-default": "6.1.22", "nodebb-plugin-dbsearch": "3.0.4", "nodebb-plugin-emoji": "^2.2.5", "nodebb-plugin-emoji-android": "2.0.0", @@ -90,7 +90,7 @@ "nodebb-plugin-spam-be-gone": "0.5.5", "nodebb-rewards-essentials": "0.0.13", "nodebb-theme-lavender": "5.0.8", - "nodebb-theme-persona": "9.1.11", + "nodebb-theme-persona": "9.1.14", "nodebb-theme-slick": "1.2.19", "nodebb-theme-vanilla": "10.1.16", "nodebb-widget-essentials": "4.0.12", From 808c4909a4f5cb80d579936197e621a11b6561cf Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Wed, 10 Apr 2019 13:55:53 -0400 Subject: [PATCH 2/2] fix: #6438 only apply whitelist when fields request empty (#7528) * fix: #6438 only apply whitelist when fields request empty * feat: explicit password retrieval denied via getUsersFields --- src/user/data.js | 15 ++++----------- test/user.js | 8 ++++++++ 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/src/user/data.js b/src/user/data.js index 3ad1db6433..571482be0b 100644 --- a/src/user/data.js +++ b/src/user/data.js @@ -3,7 +3,6 @@ var async = require('async'); var validator = require('validator'); var nconf = require('nconf'); -var winston = require('winston'); var _ = require('lodash'); var db = require('../database'); @@ -85,17 +84,11 @@ module.exports = function (User) { plugins.fireHook('filter:user.whitelistFields', { uids: uids, whitelist: fieldWhitelist.slice() }, next); }, function (results, next) { - if (fields.length) { - const whitelistSet = new Set(results.whitelist); - fields = fields.filter(function (field) { - var isFieldWhitelisted = field && whitelistSet.has(field); - if (!isFieldWhitelisted) { - winston.verbose('[user/getUsersFields] ' + field + ' removed because it is not whitelisted, see `filter:user.whitelistFields`'); - } - return isFieldWhitelisted; - }); - } else { + if (!fields.length) { fields = results.whitelist; + } else { + // Never allow password retrieval via this method + fields = fields.filter(value => value !== 'password'); } db.getObjectsFields(uidsToUserKeys(uniqueUids), fields, next); diff --git a/test/user.js b/test/user.js index 857f909a5a..77fd9428a2 100644 --- a/test/user.js +++ b/test/user.js @@ -578,6 +578,14 @@ describe('User', function () { }); }); + it('should not return password even if explicitly requested', function (done) { + User.getUserFields(testUid, ['password'], function (err, payload) { + assert.ifError(err); + assert(!payload.hasOwnProperty('password')); + done(); + }); + }); + it('should return private data if field is whitelisted', function (done) { function filterMethod(data, callback) { data.whitelist.push('another_secret');