• Robert Speicher's avatar
    Only include the user's ID in the time_spent command's update hash · 3e4b45fc
    Robert Speicher authored
    Previously, this would include the entire User record in the update
    hash, which was rendered in the response using `to_json`, erroneously
    exposing every attribute of that record, including their (now removed)
    private token.
    Now we only include the user ID, and perform the lookup on-demand.
milestone_spec.rb 3.31 KB