Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Review publications with Meteor.user utilizing Account.server #1268

Closed
Capt-Slow opened this issue Aug 8, 2016 · 1 comment
Closed

Review publications with Meteor.user utilizing Account.server #1268

Capt-Slow opened this issue Aug 8, 2016 · 1 comment

Comments

@Capt-Slow
Copy link
Contributor

Capt-Slow commented Aug 8, 2016

This ticket is in reference to #344.

Publications using Meteor.user utilizing Account.server maybe exposing sensitive info to the client.

Account.user Could be refactored to apply exported fields to all in the short term, and a larger refactor in adding public social profile data to ReactionCore.Collections.Accounts.

@aaronjudd
Copy link
Contributor

I believe these are the only fields (meant to be) exposed:

    "emails": 1,
    "profile.firstName": 1,
    "profile.lastName": 1,
    "profile.familyName": 1,
    "profile.secondName": 1,
    "profile.name": 1,
    "services.twitter.profile_image_url_https": 1,
    "services.facebook.id": 1,
    "services.google.picture": 1,
    "services.github.username": 1,
    "services.instagram.profile_picture": 1

and this should only be exposed to the user whose account this record belongs to, or to admin users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants