Add a new SessionData collection and limit user fields

* Add new SessionData collection to store user session data available to server and client * Limit the Users fields sent to the client by `myCards`, `dueCards`, `brokenCards`, and `globalSearch` using new `Users.safeFields` * clean-up
2026-01-31 05:35:16 +01:00 · 2021-01-16 19:20:31 +02:00 · 2021-01-16 19:20:31 +02:00 · ff626fb559
commit ff626fb559
parent ab183acac3
5 changed files with 113 additions and 81 deletions
--- a/server/publications/cards.js
+++ b/server/publications/cards.js
@ -72,18 +72,7 @@ Meteor.publish('myCards', function() {
    Boards.find({ _id: { $in: boards } }),
    Swimlanes.find({ _id: { $in: swimlanes } }),
    Lists.find({ _id: { $in: lists } }),
-    Users.find(
-      { _id: { $in: users } },
-      {
-        fields: {
-          _id: 1,
-          username: 1,
-          'profile.fullname': 1,
-          'profile.avatarUrl': 1,
-          'profile.initials': 1,
-        },
-      },
-    ),
+    Users.find({ _id: { $in: users } }, { fields: Users.safeFields }),
  ];
 });

@ -93,18 +82,7 @@ Meteor.publish('dueCards', function(allUsers = false) {
  // eslint-disable-next-line no-console
  // console.log('all users:', allUsers);

-  const user = Users.findOne(
-    { _id: this.userId },
-    {
-      fields: {
-        _id: 1,
-        username: 1,
-        'profile.fullname': 1,
-        'profile.avatarUrl': 1,
-        'profile.initials': 1,
-      },
-    },
-  );
+  const user = Users.findOne({ _id: this.userId });

  const archivedBoards = [];
  Boards.find({ archived: true }).forEach(board => {
@ -115,14 +93,12 @@ Meteor.publish('dueCards', function(allUsers = false) {
  let selector = {
    archived: false,
  };
-  // for admins and users, allow her to see cards only from boards where
-  // she is a member
-  //if (!user.isAdmin) {
+
  selector.$or = [
    { permission: 'public' },
    { members: { $elemMatch: { userId: user._id, isActive: true } } },
  ];
-  //}
+
  Boards.find(selector).forEach(board => {
    permiitedBoards.push(board._id);
  });
@ -193,18 +169,7 @@ Meteor.publish('dueCards', function(allUsers = false) {
    Boards.find({ _id: { $in: boards } }),
    Swimlanes.find({ _id: { $in: swimlanes } }),
    Lists.find({ _id: { $in: lists } }),
-    Users.find(
-      { _id: { $in: users } },
-      {
-        fields: {
-          _id: 1,
-          username: 1,
-          'profile.fullname': 1,
-          'profile.avatarUrl': 1,
-          'profile.initials': 1,
-        },
-      },
-    ),
+    Users.find({ _id: { $in: users } }, { fields: Users.safeFields }),
  ];
 });

@ -216,6 +181,25 @@ Meteor.publish('globalSearch', function(queryParams) {

  const cards = Cards.globalSearch(queryParams).cards;

+  SessionData.upsert(
+    { userId: this.userId },
+    {
+      $set: {
+        totalHits: cards.count(),
+        lastHit: cards.count() > 50 ? 50 : cards.count(),
+      },
+    },
+  );
+
+  // eslint-disable-next-line no-console
+  console.log('SessionData:', SessionData.find().fetch());
+  // Users.update(this.userId, {
+  //   $set: {
+  //     'sessionData.totalHits': cards.count(),
+  //     'sessionData.lastHit': cards.count() > 50 ? 50 : cards.count(),
+  //   },
+  // });
+
  const boards = [];
  const swimlanes = [];
  const lists = [];
@ -244,34 +228,21 @@ Meteor.publish('globalSearch', function(queryParams) {
    Boards.find({ _id: { $in: boards } }),
    Swimlanes.find({ _id: { $in: swimlanes } }),
    Lists.find({ _id: { $in: lists } }),
-    Users.find({ _id: { $in: users } }),
+    Users.find({ _id: { $in: users } }, { fields: Users.safeFields }),
+    SessionData.find({ userId: this.userId }),
  ];
 });

 Meteor.publish('brokenCards', function() {
-  const user = Users.findOne(
-    { _id: this.userId },
-    {
-      fields: {
-        _id: 1,
-        username: 1,
-        'profile.fullname': 1,
-        'profile.avatarUrl': 1,
-        'profile.initials': 1,
-      },
-    },
-  );
+  const user = Users.findOne({ _id: this.userId });

  const permiitedBoards = [null];
  let selector = {};
-  // for admins and users, if user is not an admin allow her to see cards only from boards where
-  // she is a member
-  //if (!user.isAdmin) {
  selector.$or = [
    { permission: 'public' },
    { members: { $elemMatch: { userId: user._id, isActive: true } } },
  ];
-  //}
+
  Boards.find(selector).forEach(board => {
    permiitedBoards.push(board._id);
  });
@ -328,17 +299,6 @@ Meteor.publish('brokenCards', function() {
    Boards.find({ _id: { $in: boards } }),
    Swimlanes.find({ _id: { $in: swimlanes } }),
    Lists.find({ _id: { $in: lists } }),
-    Users.find(
-      { _id: { $in: users } },
-      {
-        fields: {
-          _id: 1,
-          username: 1,
-          'profile.fullname': 1,
-          'profile.avatarUrl': 1,
-          'profile.initials': 1,
-        },
-      },
-    ),
+    Users.find({ _id: { $in: users } }, { fields: Users.safeFields }),
  ];
 });