From 2fcfce88258040e17e8a4653c9fcf35ee8579f03 Mon Sep 17 00:00:00 2001
From: Leo Lara <leo@leolara.me>
Date: Fri, 5 Jun 2015 10:50:47 +0200
Subject: [PATCH 1/2] Implement checks on publish arguments

---
 server/publish.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/server/publish.js b/server/publish.js
index 236205d..3938ca9 100644
--- a/server/publish.js
+++ b/server/publish.js
@@ -3,5 +3,11 @@ Meteor.publish('roles', function (){
 });
 
 Meteor.publish('filteredUsers', function(filter) {
+	if (filter === null) {
+		check(filter, null);
+	} else {
+		check(filter, String);
+	}
+
 	return filteredUserQuery(this.userId, filter);
-});
\ No newline at end of file
+});

From 6346e4b296fc7af2b2b5354521332e51370ff953 Mon Sep 17 00:00:00 2001
From: Leo Lara <leo@leolara.me>
Date: Tue, 16 Jun 2015 17:42:53 +0200
Subject: [PATCH 2/2] Fix lack of parameters check in addUserRole

---
 server/methods.js | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/server/methods.js b/server/methods.js
index 165c4af..cacffea 100644
--- a/server/methods.js
+++ b/server/methods.js
@@ -6,12 +6,15 @@ Meteor.methods({
 
 		if (user._id == userId)
 			throw new Meteor.Error(422, 'You can\'t delete yourself.');
-		
+
 		// remove the user
 		Meteor.users.remove(userId);
 	},
 
 	addUserRole: function(userId, role) {
+		check(userId, String);
+		check(role, String);
+
 		var user = Meteor.user();
 		if (!user || !Roles.userIsInRole(user, ['admin']))
 			throw new Meteor.Error(401, "You need to be an admin to update a user.");
@@ -103,4 +106,4 @@ Meteor.methods({
 		Meteor.users.update({_id: id}, {$set: obj});
 
 	}
-});
\ No newline at end of file
+});