fix(api): v1 security fix

polonel · May 16, 2022 · e2db47f · e2db47f
1 parent 49befa2
commit e2db47f
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/src/controllers/api/v1/messages.js b/src/controllers/api/v1/messages.js
@@ -308,7 +308,18 @@ apiMessages.deleteConversation = function (req, res) {
     convo.save(function (err, sConvo) {
       if (err) return res.status(400).json({ success: false, error: err.message })
 
-      return res.json({ success: true, conversation: sConvo })
+      const cleanConvo = sConvo.toObject()
+      cleanConvo.participants.forEach(function (p) {
+        delete p._id
+        delete p.id
+        delete p.role
+      })
+
+      cleanConvo.userMeta.forEach(function (meta) {
+        delete meta.userId
+      })
+
+      return res.json({ success: true, conversation: cleanConvo })
     })
   })
 }