security fix, do not pass smtp password with front-end

components/admin/Settings.vue

@@ -83,7 +83,7 @@ export default {
   computed: {
     ...mapState(['settings']),
     showSMTPAlert () {
-      return !this.setup && (!this.settings.admin_email || !this.settings.smtp || !this.settings.smtp.host || !this.settings.smtp.user)
+      return !this.setup && (!this.settings.admin_email || !this.settings.smtp || !this.settings.smtp.host || !this.settings.smtp.auth.user)
     },
     instance_locale: {
       get () { return this.settings.instance_locale },

server/helpers.js

@@ -65,6 +65,13 @@ module.exports = {
     // initialize settings
     req.settings = { ...settingsController.settings }
 
+    if (req.settings.smtp && req.settings.smtp.auth && req.settings.smtp.auth.pass) {
+      if (req.user.is_admin) {
+        delete req.settings.smtp.auth.pass
+      } else {
+        delete req.settings.smtp
+      }
+    }
     req.settings.baseurl = config.baseurl
     req.settings.hostname = config.hostname
     req.settings.title = req.settings.title || config.title