Merge pull request #3250 from weseek/fix/4756-4757-refactor-access-token-parcer

Fix/4756 4757 refactor access token parcer

src/server/middlewares/access-token-parser.js

@@ -1,4 +1,5 @@
 const loggerFactory = require('@alias/logger');
+const { serializeUserSecurely } = require('../models/serializers/user-serializer');
 
 const logger = loggerFactory('growi:middleware:access-token-parser');
 
@@ -23,8 +24,7 @@ module.exports = (crowi) => {
     }
 
     // transforming attributes
-    // see User model
-    req.user = user.toObject();
+    req.user = serializeUserSecurely(user);
     req.skipCsrfVerify = true;
 
     logger.debug('Access token parsed: skipCsrfVerify');

src/server/models/user-group-relation.js

@@ -139,7 +139,7 @@ class UserGroupRelation {
    * @returns {Promise<ObjectId[]>}
    */
   static async findAllUserGroupIdsRelatedToUser(user) {
-    const relations = await this.find({ relatedUser: user.id })
+    const relations = await this.find({ relatedUser: user._id })
       .select('relatedGroup')
       .exec();