From 71725f1b262b385162b2544f10658a0bc22f6b41 Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Thu, 25 Feb 2021 09:02:23 +0200
Subject: [PATCH] Fixed CRITICAL SECURITY ISSUE of SMTP password visible to
 Admin at Admin Panel by using browser inspect to see behind asterisks.

Thanks to Georg Krause and xet7 !
---
 client/components/settings/settingBody.jade |  2 +-
 server/publications/settings.js             | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/client/components/settings/settingBody.jade b/client/components/settings/settingBody.jade
index dc5387ac6..45c128cd1 100644
--- a/client/components/settings/settingBody.jade
+++ b/client/components/settings/settingBody.jade
@@ -97,7 +97,7 @@ template(name='email')
     li.smtp-form
       .title {{_ 'smtp-password'}}
       .form-group
-        input.wekan-form-control#mail-server-password(type="password", placeholder="{{_ 'password'}}" value="{{currentSetting.mailServer.password}}")
+        input.wekan-form-control#mail-server-password(type="password", placeholder="{{_ 'password'}}" value="")
     li.smtp-form
       .title {{_ 'smtp-tls'}}
       .form-group
diff --git a/server/publications/settings.js b/server/publications/settings.js
index d2a003592..877ca6096 100644
--- a/server/publications/settings.js
+++ b/server/publications/settings.js
@@ -31,7 +31,18 @@ Meteor.publish('mailServer', function() {
   if (!Match.test(this.userId, String)) return [];
   const user = Users.findOne(this.userId);
   if (user && user.isAdmin) {
-    return Settings.find({}, { fields: { mailServer: 1 } });
+    return Settings.find(
+      {},
+      {
+        fields: {
+          'mailServer.host': 1,
+          'mailServer.port': 1,
+          'mailServer.username': 1,
+          'mailServer.enableTLS': 1,
+          'mailServer.from': 1,
+        },
+      },
+    );
   }
   return [];
 });