From 944b9bf4981128d2dbe54dd969dd3594bfdef668 Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@edenhofer.de>
Date: Tue, 10 May 2016 16:07:39 +0200
Subject: [PATCH] Do not show passwords on user create or update.

---
 app/controllers/users_controller.rb | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index a2c727aae..147696499 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -50,7 +50,8 @@ class UsersController < ApplicationController
       return
     end
 
-    user = User.find(params[:id])
+    user = User.find(params[:id]).attributes_with_associations
+    user.delete('password')
     render json: user
   end
 
@@ -159,7 +160,8 @@ class UsersController < ApplicationController
           }
         )
       end
-      user_new = User.find(user.id)
+      user_new = User.find(user.id).attributes_with_associations
+      user_new.delete('password')
       render json: user_new, status: :created
     rescue => e
       render json: model_match_error(e.message), status: :unprocessable_entity
@@ -206,7 +208,8 @@ class UsersController < ApplicationController
       end
 
       # get new data
-      user_new = User.find( params[:id] )
+      user_new = User.find(params[:id]).attributes_with_associations
+      user_new.delete('password')
       render json: user_new, status: :ok
     rescue => e
       render json: { error: e.message }, status: :unprocessable_entity