Fix GHSL-2026-037_Wekan.

xet7 · xet7 · commit 1ee9b2e91710 · 2026-02-19T23:36:44.000+02:00
Thanks to GHSL and xet7.
diff --git a/server/publications/settings.js b/server/publications/settings.js
@@ -1,12 +1,25 @@
 import { ReactiveCache } from '/imports/reactiveCache';
 
-Meteor.publish('globalwebhooks', async () => {
+Meteor.publish('globalwebhooks', async function() {
+  if (!this.userId) {
+    return this.ready();
+  }
+
+  const user = await ReactiveCache.getCurrentUser();
+  if (!user || !user.isAdmin) {
+    return this.ready();
+  }
+
   const boardId = Integrations.Const.GLOBAL_WEBHOOK_ID;
   const ret = await ReactiveCache.getIntegrations(
     {
       boardId,
     },
-    {},
+    {
+      fields: {
+        token: 0,
+      },
+    },
     true,
   );
   return ret;
