From e323b0dd31f6ad22c6fad4c036ef09415941fb5b Mon Sep 17 00:00:00 2001 From: Bradley Hilton Date: Tue, 10 Apr 2018 15:01:37 -0500 Subject: [PATCH] Don't expose the 'settings' property on users to regular users via the rest api --- packages/rocketchat-api/server/api.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/rocketchat-api/server/api.js b/packages/rocketchat-api/server/api.js index c332c67f4575..7f62e48678e8 100644 --- a/packages/rocketchat-api/server/api.js +++ b/packages/rocketchat-api/server/api.js @@ -28,7 +28,8 @@ class API extends Restivus { roles: 0, statusDefault: 0, _updatedAt: 0, - customFields: 0 + customFields: 0, + settings: 0 }; this._config.defaultOptionsEndpoint = function _defaultOptionsEndpoint() {