From d07600f04bb9603506386ccf959d4c499aba556a Mon Sep 17 00:00:00 2001
From: AlexejStukov <sergej.morokin@googlemail.com>
Date: Thu, 21 Jul 2016 21:06:25 +0200
Subject: [PATCH] Security fix - every field of a model is send - even password

Atm WebsocketBinding sends every field of a model, even the password of a user. Users of the class should have to think about which fields they want to send to the user. Also added a more intuitive option for sending all fields.
---
 channels/binding/websockets.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/channels/binding/websockets.py b/channels/binding/websockets.py
index 5252299..0e1409e 100644
--- a/channels/binding/websockets.py
+++ b/channels/binding/websockets.py
@@ -30,6 +30,11 @@ class WebsocketBinding(Binding):
     # Stream multiplexing name
 
     stream = None
+    
+    # only model fields that are listed in fields should be send by default
+    # if you want to really send all fields, use fields = ['__all__']
+    
+    fields = []
 
     # Outbound
     @classmethod
@@ -49,7 +54,9 @@ class WebsocketBinding(Binding):
         """
         Serializes model data into JSON-compatible types.
         """
-        data = serializers.serialize('json', [instance])
+        if self.fields == ['__all__']:
+            self.fields = None
+        data = serializers.serialize('json', [instance], fields=self.fields)
         return json.loads(data)[0]['fields']
 
     # Inbound