illinois · nwalters512 · Mar 24, 2019 · Mar 14, 2019 · Mar 14, 2019 · Mar 14, 2019
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -64,7 +64,7 @@
     "redux": "^4.0.1",
     "redux-thunk": "^2.3.0",
     "reselect": "^4.0.0",
-    "sequelize": "^4.42.0",
+    "sequelize": "^5.1.0",
     "sequelize-stream": "^1.0.2",
     "socket.io": "^2.2.0",
     "socket.io-client": "^2.2.0",

diff --git a/src/api/questions.js b/src/api/questions.js
@@ -137,17 +137,21 @@ router.post(
       }
     }
 
-    const question = Question.build({
-      name: data.name,
-      // Questions in fixed-location queues should never have a location
-      location: res.locals.queue.fixedLocation ? '' : data.location,
-      topic: data.topic,
-      enqueueTime: new Date(),
-      queueId,
-      askedById: askerId,
-    })
+    const question = await Question.create(
+      {
+        name: data.name,
+        // Questions in fixed-location queues should never have a location
+        location: res.locals.queue.fixedLocation ? '' : data.location,
+        topic: data.topic,
+        enqueueTime: new Date(),
+        queueId,
+        askedById: askerId,
+      },
+      {
+        include: [{ model: User, as: 'askedBy' }],
+      }
+    )
 
-    await question.save()
     await question.reload()
     res.status(201).send(question)
   })

diff --git a/src/api/queues.js b/src/api/queues.js
@@ -113,13 +113,25 @@ router.get(
           },
           required: false,
           include: [User],
+          attributes: ['startTime', 'endTime'],
         },
         {
           model: Question,
           required: false,
           where: {
             dequeueTime: null,
           },
+          attributes: [
+            'id',
+            'name',
+            'topic',
+            'beingAnswered',
+            'answerStartTime',
+            'enqueueTime',
+            'dequeueTime',
+            'askedById',
+          ],
+          include: [{ model: User, as: 'askedBy' }],
         },
       ],
       order: [[Question, 'id', 'ASC']],

diff --git a/src/api/queues.test.js b/src/api/queues.test.js
@@ -40,11 +40,8 @@ describe('Queues API', () => {
       expect(res.body[1].id).toBe(2)
 
       res.body.forEach(queue => {
-        if (user === 'admin') {
-          includesPrivateAttributes(queue)
-        } else {
-          excludesPrivateAttributes(queue)
-        }
+        // This endpoint shouldn't include private attributes
+        excludesPrivateAttributes(queue)
       })
     }
     test('succeeds for admin', async () => {

diff --git a/src/models/index.js b/src/models/index.js
@@ -38,7 +38,8 @@ module.exports.initSequelize = sequelize => {
 }
 
 const sequelizeConfig = {
-  operatorsAliases: Sequelize.Op,
+  // See http://docs.sequelizejs.com/manual/querying.html#operators-security
+  operatorsAliases: false,
   dialectOptions: {
     multipleStatements: true,
   },