fix: #6438 only apply whitelist when fields request empty (#7528)

* fix: #6438 only apply whitelist when fields request empty

* feat: explicit password retrieval denied via getUsersFields

src/user/data.js

@@ -3,7 +3,6 @@
 var async = require('async');
 var validator = require('validator');
 var nconf = require('nconf');
-var winston = require('winston');
 var _ = require('lodash');
 
 var db = require('../database');
@@ -85,17 +84,11 @@ module.exports = function (User) {
 				plugins.fireHook('filter:user.whitelistFields', { uids: uids, whitelist: fieldWhitelist.slice() }, next);
 			},
 			function (results, next) {
-				if (fields.length) {
+				if (!fields.length) {
-					const whitelistSet = new Set(results.whitelist);
-					fields = fields.filter(function (field) {
-						var isFieldWhitelisted = field && whitelistSet.has(field);
-						if (!isFieldWhitelisted) {
-							winston.verbose('[user/getUsersFields] ' + field + ' removed because it is not whitelisted, see `filter:user.whitelistFields`');
-						}
-						return isFieldWhitelisted;
-					});
-				} else {
 					fields = results.whitelist;
+				} else {
+					// Never allow password retrieval via this method
+					fields = fields.filter(value => value !== 'password');
 				}
 
 				db.getObjectsFields(uidsToUserKeys(uniqueUids), fields, next);

test/user.js

@@ -578,6 +578,14 @@ describe('User', function () {
 			});
 		});
 
+		it('should not return password even if explicitly requested', function (done) {
+			User.getUserFields(testUid, ['password'], function (err, payload) {
+				assert.ifError(err);
+				assert(!payload.hasOwnProperty('password'));
+				done();
+			});
+		});
+
 		it('should return private data if field is whitelisted', function (done) {
 			function filterMethod(data, callback) {
 				data.whitelist.push('another_secret');