user.rb in volt-0.8.27.beta4

- old
+ new

@@ -14,9 +14,17 @@
     end
 
     validate login_field, unique: true, length: 8
     validate :email, email: true
 
+    permissions(:read) do
+      # Never pass the hashed_password to the client
+      deny :hashed_password
+
+      # Deny all if this isn't the owner
+      deny if !_id == Volt.user_id && !new?
+    end
+
     if RUBY_PLATFORM == 'opal'
       # Don't validate on the server
       validate :password, length: 8
     end
 