From 05ad112831d29c2a0877f800e59e79e2ebb3449c Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Fri, 24 Aug 2018 11:50:41 -0500
Subject: [PATCH] Fix #3835: Related tags update vulnerability.

Also fixes deprecated call to `render :text`.
---
 app/controllers/application_controller.rb  | 7 -------
 app/controllers/related_tags_controller.rb | 8 ++++++++
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index fa9f6af55..3287d2f5d 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -36,13 +36,6 @@ class ApplicationController < ActionController::Base
     response.headers["Access-Control-Allow-Origin"] = "*"
   end
 
-  def require_reportbooru_key
-    unless params[:key] == Danbooru.config.reportbooru_key
-      render(text: "forbidden", status: 403)
-      return false
-    end
-  end
-  
   def bad_db_connection
     respond_to do |format|
       format.json do
diff --git a/app/controllers/related_tags_controller.rb b/app/controllers/related_tags_controller.rb
index c686d035e..30f436b61 100644
--- a/app/controllers/related_tags_controller.rb
+++ b/app/controllers/related_tags_controller.rb
@@ -19,4 +19,12 @@ class RelatedTagsController < ApplicationController
     @tag.save
     head :ok
   end
+
+  protected
+
+  def require_reportbooru_key
+    unless Danbooru.config.reportbooru_key.present? && params[:key] == Danbooru.config.reportbooru_key
+      raise User::PrivilegeError
+    end
+  end
 end