closes #5804

src/user.js

@@ -102,10 +102,11 @@ User.getUsersWithFields = function (uids, fields, uid, callback) {
 };
 
 User.getUsers = function (uids, uid, callback) {
-	var fields = ['uid', 'username', 'userslug', 'picture', 'status', 'flags',
-		'banned', 'banned:expire', 'joindate', 'postcount', 'reputation', 'email:confirmed', 'lastonline'];
-
-	User.getUsersWithFields(uids, fields, uid, callback);
+	User.getUsersWithFields(uids, [
+		'uid', 'username', 'userslug', 'picture', 'status',
+		'postcount', 'reputation', 'email:confirmed', 'lastonline',
+		'flags', 'banned', 'banned:expire', 'joindate',
+	], uid, callback);
 };
 
 User.getStatus = function (userData) {

src/user/data.js

@@ -11,8 +11,20 @@ var plugins = require('../plugins');
 var utils = require('../utils');
 
 module.exports = function (User) {
-	var iconBackgrounds = ['#f44336', '#e91e63', '#9c27b0', '#673ab7', '#3f51b5', '#2196f3',
-		'#009688', '#1b5e20', '#33691e', '#827717', '#e65100', '#ff5722', '#795548', '#607d8b'];
+	var iconBackgrounds = [
+		'#f44336', '#e91e63', '#9c27b0', '#673ab7', '#3f51b5', '#2196f3',
+		'#009688', '#1b5e20', '#33691e', '#827717', '#e65100', '#ff5722',
+		'#795548', '#607d8b',
+	];
+
+	var fieldWhitelist = [
+		'uid', 'username', 'userslug', 'email', 'email:confirmed', 'joindate',
+		'lastonline', 'picture', 'fullname', 'location', 'birthday', 'website',
+		'aboutme', 'signature', 'uploadedpicture', 'profileviews', 'reputation',
+		'postcount', 'topiccount', 'lastposttime', 'banned', 'banned:expire',
+		'status', 'flags', 'followerCount', 'followingCount', 'cover:url',
+		'cover:position', 'groupTitle',
+	];
 
 	User.getUserField = function (uid, field, callback) {
 		User.getUserFields(uid, [field], function (err, user) {
@@ -48,7 +60,6 @@ module.exports = function (User) {
 		}
 
 		if (fields.indexOf('picture') !== -1) {
-			addField('email');
 			addField('uploadedpicture');
 		}
 
@@ -62,11 +73,18 @@ module.exports = function (User) {
 
 		async.waterfall([
 			function (next) {
+				plugins.fireHook('filter:user.whitelistFields', { uids: uids, whitelist: fieldWhitelist.slice() }, next);
+			},
+			function (results, next) {
 				if (fields.length) {
-					db.getObjectsFields(uidsToUserKeys(uniqueUids), fields, next);
+					fields = fields.filter(function (field) {
+						return field && results.whitelist.includes(field);
+					});
 				} else {
-					db.getObjects(uidsToUserKeys(uniqueUids), next);
+					fields = results.whitelist;
 				}
+
+				db.getObjectsFields(uidsToUserKeys(uniqueUids), fields, next);
 			},
 			function (users, next) {
 				users = uidsToUsers(uids, uniqueUids, users);
@@ -118,14 +136,6 @@ module.exports = function (User) {
 				user.username = validator.escape(user.username ? user.username.toString() : '');
 			}
 
-			if (user.password) {
-				user.password = undefined;
-			}
-
-			if (user.rss_token) {
-				user.rss_token = undefined;
-			}
-
 			if (!parseInt(user.uid, 10)) {
 				user.uid = 0;
 				user.username = '[[global:guest]]';

test/user.js

@@ -490,12 +490,48 @@ describe('User', function () {
 		it('should get user data even if one uid is NaN', function (done) {
 			User.getUsersData([NaN, testUid], function (err, data) {
 				assert.ifError(err);
-				assert.equal(data[0], null);
+				assert(data[0]);
+				assert.equal(data[0].username, '[[global:guest]]');
 				assert(data[1]);
 				assert.equal(data[1].username, userData.username);
 				done();
 			});
 		});
+
+		it('should not return private user data', function (done) {
+			User.setUserFields(testUid, {
+				fb_token: '123123123',
+				another_secret: 'abcde',
+				postcount: '123',
+			}, function (err) {
+				assert.ifError(err);
+				User.getUserData(testUid, function (err, userData) {
+					assert.ifError(err);
+					assert(!userData.hasOwnProperty('fb_token'));
+					assert(!userData.hasOwnProperty('another_secret'));
+					assert(!userData.hasOwnProperty('password'));
+					assert(!userData.hasOwnProperty('rss_token'));
+					assert.equal(userData.postcount, '123');
+					done();
+				});
+			});
+		});
+
+		it('should return private data if field is whitelisted', function (done) {
+			function filterMethod(data, callback) {
+				data.whitelist.push('another_secret');
+				callback(null, data);
+			}
+
+			plugins.registerHook('test-plugin', { hook: 'filter:user.whitelistFields', method: filterMethod });
+			User.getUserData(testUid, function (err, userData) {
+				assert.ifError(err);
+				assert(!userData.hasOwnProperty('fb_token'));
+				assert.equal(userData.another_secret, 'abcde');
+				plugins.unregisterHook('test-plugin', 'filter:user.whitelistFields', filterMethod);
+				done();
+			});
+		});
 	});
 
 	describe('not logged in', function () {