Fixed CRITICAL SECURITY ISSUE of SMTP password visible to Admin at

Admin Panel by using browser inspect to see behind asterisks. Thanks to Georg Krause and xet7 !
2026-01-04 16:48:49 +01:00 · 2021-02-25 09:02:23 +02:00 · 2021-02-25 09:02:23 +02:00 · 71725f1b26
commit 71725f1b26
parent 64d4c3f971
2 changed files with 13 additions and 2 deletions
--- a/client/components/settings/settingBody.jade
+++ b/client/components/settings/settingBody.jade
@ -97,7 +97,7 @@ template(name='email')
    li.smtp-form
      .title {{_ 'smtp-password'}}
      .form-group
-        input.wekan-form-control#mail-server-password(type="password", placeholder="{{_ 'password'}}" value="{{currentSetting.mailServer.password}}")
+        input.wekan-form-control#mail-server-password(type="password", placeholder="{{_ 'password'}}" value="")
    li.smtp-form
      .title {{_ 'smtp-tls'}}
      .form-group
--- a/server/publications/settings.js
+++ b/server/publications/settings.js
@ -31,7 +31,18 @@ Meteor.publish('mailServer', function() {
  if (!Match.test(this.userId, String)) return [];
  const user = Users.findOne(this.userId);
  if (user && user.isAdmin) {
-    return Settings.find({}, { fields: { mailServer: 1 } });
+    return Settings.find(
+      {},
+      {
+        fields: {
+          'mailServer.host': 1,
+          'mailServer.port': 1,
+          'mailServer.username': 1,
+          'mailServer.enableTLS': 1,
+          'mailServer.from': 1,
+        },
+      },
+    );
  }
  return [];
 });