From aa0ea219907417e68af2631a4eeb56c6d986905c Mon Sep 17 00:00:00 2001
From: Anton Georgiev <anto.georgiev@gmail.com>
Date: Fri, 30 Jul 2021 13:11:44 +0000
Subject: [PATCH] fix(breakouts): Do not allow users to obtain
 'redirectToHtml5JoinURL' for others

---
 .../api/breakouts/server/publishers.js        | 23 ++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/bigbluebutton-html5/imports/api/breakouts/server/publishers.js b/bigbluebutton-html5/imports/api/breakouts/server/publishers.js
index 1e9b6f0e0d..f3c39edd06 100755
--- a/bigbluebutton-html5/imports/api/breakouts/server/publishers.js
+++ b/bigbluebutton-html5/imports/api/breakouts/server/publishers.js
@@ -45,7 +45,28 @@ function breakouts(role) {
     ],
   };
 
-  return Breakouts.find(selector);
+  const fields = {
+    fields: {
+      users: {
+        $elemMatch: {
+          // do not allow users to obtain 'redirectToHtml5JoinURL' for others
+          userId,
+        },
+      },
+      breakoutId: 1,
+      externalId: 1,
+      freeJoin: 1,
+      isDefaultName: 1,
+      joinedUsers: 1,
+      name: 1,
+      parentMeetingId: 1,
+      sequence: 1,
+      shortName: 1,
+      timeRemaining: 1,
+    },
+  };
+
+  return Breakouts.find(selector, fields);
 }
 
 function publish(...args) {
-- 
GitLab