-// to: object user (to who we send an email)
-function setAndSendLoginToken(subject, to, res)
-{
- // Set login token and send welcome(back) email with auth link
- const token = genToken(params.token.length);
- UserModel.setLoginToken(token, to.id, err => {
- if (!!err)
- return res.json({errmsg: err.toString()});
- const body =
- "Hello " + to.name + "!\n" +
- "Access your account here: " +
- params.siteURL + "/#/authenticate/" + token + "\\n" +
- "Token will expire in " + params.token.expire/(1000*60) + " minutes."
- sendEmail(params.mail.noreply, to.email, subject, body, err => {
- // "id" is generally the only info missing on client side,
- // but the name is also unknown if log-in with the email.
- res.json(err || {id: to.id, name: to.name});
- });
- });
-}
+// NOTE: this method is safe because only IDs and names are returned
+router.get("/users", access.ajax, (req,res) => {
+ const ids = req.query["ids"];
+ // NOTE: slightly too permissive RegExp
+ if (ids.match(/^([0-9]+,?)+$/)) {
+ UserModel.getByIds(ids, (err,users) => {
+ res.json({users:users});
+ });
+ }
+});