From cb8189d9e2a59c614111efb48794ee1b728ae188 Mon Sep 17 00:00:00 2001
From: Ricardo Hernandez-Montoya <rhernandez@gridhound.de>
Date: Wed, 3 May 2017 12:16:20 +0200
Subject: [PATCH] restrict fields retrieved by the 'get all users' request

---
 routes/users.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routes/users.js b/routes/users.js
index 41f96f9..c661a2c 100644
--- a/routes/users.js
+++ b/routes/users.js
@@ -38,7 +38,7 @@ router.use('/users', auth.validateToken);
 // routes
 router.get('/users', auth.validateRole('user', 'read'), function(req, res) {
   // get all users
-  User.find(function(err, users) {
+  User.find({}, 'username role mail', function(err, users) {
     if (err) {
       return next(err);
     }
-- 
GitLab