From 32025b77d3bc146da881fc29b48f3df0783dde3d Mon Sep 17 00:00:00 2001
From: Albert Yi <albert@carbonfive.com>
Date: Fri, 13 Apr 2018 11:45:33 -0700
Subject: [PATCH] remove fav_string from posts api unless user is moderator
 (fixes #3633)

---
 app/models/post.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/models/post.rb b/app/models/post.rb
index 49751b6bf..63820c31e 100644
--- a/app/models/post.rb
+++ b/app/models/post.rb
@@ -1468,6 +1468,9 @@ class Post < ApplicationRecord
   module ApiMethods
     def hidden_attributes
       list = super + [:tag_index]
+      unless CurrentUser.is_moderator?
+        list += [:fav_string]
+      end
       if !visible?
         list += [:md5, :file_ext]
       end