From e4e558c0e6050075f5ec3dac262e487755bfddcd Mon Sep 17 00:00:00 2001
From: Shane Kilkelly <shane@kilkelly.me>
Date: Thu, 5 Oct 2017 13:18:30 +0100
Subject: [PATCH] Hide access tokens if user is not the project owner.

This prevents sneaky read-only users from sniffing out the read-write
link via the browser console.
---
 .../web/app/coffee/Features/Editor/EditorHttpController.coffee | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/services/web/app/coffee/Features/Editor/EditorHttpController.coffee b/services/web/app/coffee/Features/Editor/EditorHttpController.coffee
index d74c9dd4d9..28c064f42f 100644
--- a/services/web/app/coffee/Features/Editor/EditorHttpController.coffee
+++ b/services/web/app/coffee/Features/Editor/EditorHttpController.coffee
@@ -22,6 +22,9 @@ module.exports = EditorHttpController =
 		Metrics.inc "editor.join-project"
 		EditorHttpController._buildJoinProjectView req, project_id, user_id, (error, project, privilegeLevel) ->
 			return next(error) if error?
+			# Hide access tokens if this is not the project owner
+			if privilegeLevel != 'owner' && project.tokens?
+				project.tokens = {readOnly: '', readAndWrite: ''}
 			res.json {
 				project: project
 				privilegeLevel: privilegeLevel