do not pass historical author data to read only users

src/node/handler/PadMessageHandler.js

@@ -1012,10 +1012,16 @@ function handleClientReady(client, message)
         var attribsForWire = Changeset.prepareForWire(atext.attribs, pad.pool);
         var apool = attribsForWire.pool.toJsonable();
         atext.attribs = attribsForWire.translated;
+
+
         
         // Warning: never ever send padIds.padId to the client. If the
         // client is read only you would open a security hole 1 swedish
         // mile wide...
+        // Heh, turns out we already did when we sent historicalAuthorData so
+        // if it's a readonly pad request don't send the pad IDs of the author
+        if(sessioninfos[client.id].readonly) historicalAuthorData = {};
+
         var clientVars = {
           "accountPrivs": {
               "maxRevisions": 100