From 43837210edab64e804409539f590652065313014 Mon Sep 17 00:00:00 2001
From: Lawrence Elitzer <5624305+elitzer2@users.noreply.github.com>
Date: Sun, 30 Aug 2020 00:48:33 -0500
Subject: [PATCH] Don't reveal to the API the list of subscribers

---
 server/routes/subscription.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/routes/subscription.js b/server/routes/subscription.js
index 7446580f..bbcc1ac5 100644
--- a/server/routes/subscription.js
+++ b/server/routes/subscription.js
@@ -282,7 +282,9 @@ router.postAsync('/:cid/subscribe', passport.parseForm, corsOrCsrfProtection, as
     if (existingSubscription && existingSubscription.status === SubscriptionStatus.SUBSCRIBED) {
         await mailHelpers.sendAlreadySubscribed(req.locale, list, email, existingSubscription);
         if (req.xhr) {
-            throw new Error(tUI('listEmailAddressAlreadyRegistered', req.locale, {list: list.name}));
+            return res.status(200).json({
+                msg: tUI('pleaseConfirmSubscription', req.locale)
+            });
         }
         res.redirect('/subscription/' + encodeURIComponent(req.params.cid) + '/confirm-subscription-notice');