Filter req.user in /settings to prevent leaking info

2025-03-01 10:36:34 +00:00 · 2018-05-09 10:03:22 +01:00
parent d572356642
commit 7584820987
2 changed files with 56 additions and 2 deletions
--- a/red/api/editor/settings.js
+++ b/red/api/editor/settings.js
@@ -28,8 +28,16 @@ module.exports = {
    runtimeSettings: function(req,res) {
        var safeSettings = {
            httpNodeRoot: settings.httpNodeRoot||"/",
-            version: settings.version,
-            user: req.user
+            version: settings.version
+        }
+        if (req.user) {
+            safeSettings.user = {}
+            var props = ["anonymous","username","image","permissions"];
+            props.forEach(prop => {
+                if (req.user.hasOwnProperty(prop)) {
+                    safeSettings.user[prop] = req.user[prop];
+                }
+            })
        }

        var themeSettings = theme.settings();