Strip personally identifiable information from user table for unauthorized users.

- add a config option to explicitly enumerate pii fields beyond email
- in query controller, strip pii of user table results before sending out the door.

src/Config.js

@@ -34,6 +34,7 @@ export class Config {
     this.fileKey = cacheInfo.fileKey;
     this.facebookAppIds = cacheInfo.facebookAppIds;
     this.allowClientClassCreation = cacheInfo.allowClientClassCreation;
+    this.userSensitiveFields = cacheInfo.userSensitiveFields;
 
     // Create a new DatabaseController per request
     if (cacheInfo.databaseController) {