fix: don't return email for members

stop retrieving additional fields which has been added to ES for members as they can be outdated
also, returning email from ES may leak it, while email should be only returned to admins as controlled by "getObjectsWithMemberDetails" method

Author: maxceem

src/routes/projectMembers/get.js

@@ -7,6 +7,8 @@ import { middleware as tcMiddleware } from 'tc-core-library-js';
 import models from '../../models';
 import util from '../../util';
 
+const PROJECT_MEMBER_ATTRIBUTES = _.without(_.keys(models.ProjectMember.rawAttributes));
+
 /**
  * API to get project member.
  *
@@ -30,7 +32,7 @@ module.exports = [
   (req, res, next) => {
     const projectId = _.parseInt(req.params.projectId);
     const memberRecordId = _.parseInt(req.params.id);
-    const fields = req.query.fields ? req.query.fields.split(',') : null;
+    const fields = req.query.fields ? req.query.fields.split(',') : [];
 
     util.fetchByIdFromES('members', {
       query: {
@@ -74,7 +76,15 @@ module.exports = [
         });
       }
       req.log.debug('project member found in ES');
-      return data[0].inner_hits.members.hits.hits[0]._source; // eslint-disable-line no-underscore-dangle
+      return _.pick(
+        data[0].inner_hits.members.hits.hits[0]._source, // eslint-disable-line no-underscore-dangle
+        // Elasticsearch index might have additional fields added to members like
+        // 'handle', 'firstName', 'lastName', 'email'
+        // but we shouldn't return them, as they might be outdated
+        // method "getObjectsWithMemberDetails" would populate these fields again
+        // with up to date data from Member Service if necessary
+        PROJECT_MEMBER_ATTRIBUTES,
+      );
     }).then(member => (
       util.getObjectsWithMemberDetails([member], fields, req)
         .then(([memberWithDetails]) => memberWithDetails)

src/routes/projectMembers/list.js

@@ -9,6 +9,8 @@ import models from '../../models';
 import util from '../../util';
 import { PROJECT_MEMBER_ROLE } from '../../constants';
 
+const PROJECT_MEMBER_ATTRIBUTES = _.without(_.keys(models.ProjectMember.rawAttributes));
+
 const permissions = tcMiddleware.permissions;
 
 const schema = {
@@ -31,7 +33,7 @@ module.exports = [
   permissions('project.viewMember'),
   (req, res, next) => {
     const projectId = _.parseInt(req.params.projectId);
-    const fields = req.query.fields ? req.query.fields.split(',') : null;
+    const fields = req.query.fields ? req.query.fields.split(',') : [];
     const must = [
       { term: { 'members.projectId': projectId } },
     ];
@@ -89,7 +91,15 @@ module.exports = [
         });
       }
       req.log.debug('project members found in ES');
-      return data[0].inner_hits.members.hits.hits.map(hit => hit._source); // eslint-disable-line no-underscore-dangle
+      return data[0].inner_hits.members.hits.hits.map(hit => _.pick(
+        hit._source, // eslint-disable-line no-underscore-dangle
+        // Elasticsearch index might have additional fields added to members like
+        // 'handle', 'firstName', 'lastName', 'email'
+        // but we shouldn't return them, as they might be outdated
+        // method "getObjectsWithMemberDetails" would populate these fields again
+        // with up to date data from Member Service if necessary
+        PROJECT_MEMBER_ATTRIBUTES,
+      ));
     })
     .then(members => (
       util.getObjectsWithMemberDetails(members, fields, req)