Don't publish all users with details to logged-out users

[mpchst]

When not logged in, the users collections is still published to the client with all details, which means, that all email addresses, real names and roles are visible on the client:

One such message on the DDP:

a["{\"msg\":\"added\",\"collection\":\"users\",\"id\":\"KZsNMd7AC5kcu5yLj\",\"fields\":{\"emails\":[{\"address\":\"real.name@email.de\",\"verified\":true,\"fromLDAP\":true}],\"profile\":{\"name\":\"Real Name\"},\"roles\":{\"5zJmLcj4mCeuH86mZ\":[\"10\"]},\"username\":\"userid\"}}"]

For details see the Chrome Developer network view of the DDP websocket: F12 -> Network -> "websocket" -> Frames

[derwok]

Interesting observation!

We have a setting in server side configuration settings.json called "trustedIntranetInstallation". This is set to "true" in our internal company instalation, but "false" on e.g. 4minitz.com.
This setting lowers/raises the grade of confidentiality on exposing data to the clients and/or users - e.g. while sending protocols to participants. When set to false, indivisual, seperate emails are sent to each participant, thus keeping the mail adresses of others private.
Regartding your case this setting configures, if mail adresses are published to the client at all - or not.

So, could you please check in https://www.4minitz.com if you see something "spooky" there?

[mpchst]

On 4minitz.com all users are still published, but only with their login, so no real names, no email adresses.

The DDP messages look like this:

a["{\"msg\":\"added\",\"collection\":\"users\",\"id\":\"XkjKit8cz8HXtjjTP\",\"fields\":{\"username\":\"rain\",\"roles\":{\"AESFC9TuqcsjxYsJH\":[\"01\"]}}}"]

So good to know that the trustedIntranetInstallation flag also removes real names from the user list.

[derwok]

So, on "trustedIntranetInstallation: false" nothing really bad happens...
Nevertheless with a fix we'll prevent to publish any user data to the client if no user is logged in.
Thx. for the hint. ;-)