start fixing the password in scope potential corner case security issue

2015-03-17 17:22:58 -07:00 · 2015-03-17 17:22:58 -07:00 · f1dcb4c373
parent f144e84310
commit f1dcb4c373
3 changed files with 4 additions and 3 deletions
--- a/app.js
+++ b/app.js
@ -196,7 +196,9 @@ app.use(helmet.contentSecurityPolicy({

 app.use(function (req, res, next) {
    // Make user object available in templates.
-    res.locals.user = req.user;
+    fullUser = req.user;
+    delete fullUser.password;
+    res.locals.user = fullUser;
    next();
 });

--- a/controllers/story.js
+++ b/controllers/story.js
@ -159,7 +159,6 @@ exports.returnIndividualStory = function(req, res, next) {
            upVotes: story.upVotes,
            comments: story.comments,
            id: story._id,
-            user: req.user || null,
            timeAgo: moment(story.timePosted).fromNow(),
            image: story.image,
            page: 'show',
--- a/views/account/show.jade
+++ b/views/account/show.jade
@ -8,7 +8,7 @@ block content
                if (user && user.profile.username === username)
                    .col-xs-12
                        .text-center
-                            a.btn.btn-big.btn-primary(href="/account") Update my public portfolio
+                            a.btn.btn-big.btn-primary(href="/account") Update my public portfolio or manage my account
                        br
                .row
                    .col-xs-12