From 75990f841d55393fdc95f1f4039ec269c57b0381 Mon Sep 17 00:00:00 2001
From: Sean Grove <s@bushi.do>
Date: Wed, 11 Apr 2012 18:17:14 -0700
Subject: [PATCH] Restrict faye broadcast messages to only the necessary fields

---
 app/models/activity_observer.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/models/activity_observer.rb b/app/models/activity_observer.rb
index 139452cc..41ac8ac4 100644
--- a/app/models/activity_observer.rb
+++ b/app/models/activity_observer.rb
@@ -11,7 +11,7 @@ def after_save(activity)
   def message_broadcast_data(activity)
     faye_channel = "/channels/#{activity.channel.to_param}"
     broadcast_data = activity.attributes.merge({
-        :user => activity.user.attributes,
+        :user => activity.user.as_json(:only => [:id, :ido_id, :email, :first_name, :last_name, :gravatar_hash, :active, :locale]),
         :channel => activity.channel.attributes
       })
     [faye_channel, broadcast_data]
@@ -22,7 +22,7 @@ def upload_broadcast_data(activity)
     broadcast_data = {
       :event  => "attachment#upload",
       :entity => activity.attributes.merge({
-          :user    => activity.user.attributes,
+          :user => activity.user.as_json(:only => [:id, :ido_id, :email, :first_name, :last_name, :gravatar_hash, :active, :locale]),
           :channel => activity.channel.attributes
         }),
       :extra  => {