From 1ee9b2e917104f54c035f6426169a28fedecbdb6 Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Thu, 19 Feb 2026 23:36:44 +0200
Subject: [PATCH] Fix GHSL-2026-037_Wekan.

Thanks to GHSL and xet7.
---
 server/publications/settings.js | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/server/publications/settings.js b/server/publications/settings.js
index 531ee10c5..f832d0a99 100644
--- a/server/publications/settings.js
+++ b/server/publications/settings.js
@@ -1,12 +1,25 @@
 import { ReactiveCache } from '/imports/reactiveCache';
 
-Meteor.publish('globalwebhooks', async () => {
+Meteor.publish('globalwebhooks', async function() {
+  if (!this.userId) {
+    return this.ready();
+  }
+
+  const user = await ReactiveCache.getCurrentUser();
+  if (!user || !user.isAdmin) {
+    return this.ready();
+  }
+
   const boardId = Integrations.Const.GLOBAL_WEBHOOK_ID;
   const ret = await ReactiveCache.getIntegrations(
     {
       boardId,
     },
-    {},
+    {
+      fields: {
+        token: 0,
+      },
+    },
     true,
   );
   return ret;