From e958401f39a0639f385323dd0403b81586eedbbb Mon Sep 17 00:00:00 2001
From: basantnema31 <pianistbasant31@gmail.com>
Date: Sun, 24 May 2026 14:56:45 +0530
Subject: [PATCH] fix: restrict populated author fields to prevent leaking
 sensitive data (Issue #265, #271)

---
 server/controllers/note.controller.js     | 6 +++---
 server/controllers/question.controller.js | 2 +-
 server/controllers/request.controller.js  | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/server/controllers/note.controller.js b/server/controllers/note.controller.js
index 57149b9..1c8dfe9 100644
--- a/server/controllers/note.controller.js
+++ b/server/controllers/note.controller.js
@@ -12,7 +12,7 @@ const searchNotes = wrapAsync(async (req, res) => {
     };
     const notes = await Note.find(query.search ? searchFilter : null)
       .populate("subject")
-      .populate("author")
+      .populate("author", "username userPhoto")
       .exec();
     res.status(200).json(notes);
   } catch (error) {
@@ -195,7 +195,7 @@ const getBookMarkedNotesByUser = async (req, res) => {
     const user = await User.findById(userId)
       .populate({
         path: "bookMarkedNotes",
-        populate: [{ path: "author" }, { path: "subject" }],
+        populate: [{ path: "author", select: "username userPhoto" }, { path: "subject" }],
       })
       .select("-password")
       .exec();
@@ -223,7 +223,7 @@ const getSpecificNotesController = async (req, res) => {
       year: parseInt(year),
       semester: semester,
       subject: subject,
-    }).populate("author");
+    }).populate("author", "username userPhoto");
     if (notes.length === 0) {
       return res
         .status(404)
diff --git a/server/controllers/question.controller.js b/server/controllers/question.controller.js
index e6ab425..a71ad28 100644
--- a/server/controllers/question.controller.js
+++ b/server/controllers/question.controller.js
@@ -27,7 +27,7 @@ const askQuestion = wrapAsync(async (req, res) => {
 
 const getQuestion = wrapAsync(async (req, res) => {
   try {
-    const questions = await Question.find({}).populate("author");
+    const questions = await Question.find({}).populate("author", "username userPhoto");
     res.status(201).json(questions);
   } catch (error) {
     console.error(error);
diff --git a/server/controllers/request.controller.js b/server/controllers/request.controller.js
index 08776d0..eda4873 100644
--- a/server/controllers/request.controller.js
+++ b/server/controllers/request.controller.js
@@ -27,7 +27,7 @@ const addRequest = wrapAsync(async (req, res) => {
 
 const getRequests = wrapAsync(async (req, res) => {
   try {
-    const requests = await Request.find({}).populate("author");
+    const requests = await Request.find({}).populate("author", "username userPhoto");
     res.status(201).json(requests);
   } catch (error) {
     console.error(error);