From b32aaaeb1b89d1b9dac095689fe9af44994fe95b Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sun, 6 Oct 2013 15:15:43 +0100
Subject: [PATCH] do not pass historical author data to read only users

---
 src/node/handler/PadMessageHandler.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js
index a79d2410b..825864255 100644
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@@ -1012,10 +1012,16 @@ function handleClientReady(client, message)
         var attribsForWire = Changeset.prepareForWire(atext.attribs, pad.pool);
         var apool = attribsForWire.pool.toJsonable();
         atext.attribs = attribsForWire.translated;
+
+
         
         // Warning: never ever send padIds.padId to the client. If the
         // client is read only you would open a security hole 1 swedish
         // mile wide...
+        // Heh, turns out we already did when we sent historicalAuthorData so
+        // if it's a readonly pad request don't send the pad IDs of the author
+        if(sessioninfos[client.id].readonly) historicalAuthorData = {};
+
         var clientVars = {
           "accountPrivs": {
               "maxRevisions": 100