From afb8eeea303e640b4ff23859345e1aa1f0ae3285 Mon Sep 17 00:00:00 2001 From: evazion Date: Thu, 19 Jan 2017 23:38:27 +0000 Subject: [PATCH 1/2] Fix exploit making user name change reasons being public in API. --- app/models/user_name_change_request.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/app/models/user_name_change_request.rb b/app/models/user_name_change_request.rb index 10c1ff795..3075d685c 100644 --- a/app/models/user_name_change_request.rb +++ b/app/models/user_name_change_request.rb @@ -89,4 +89,12 @@ class UserNameChangeRequest < ActiveRecord::Base return true end end + + def hidden_attributes + if CurrentUser.is_admin? || user == CurrentUser.user + [] + else + super + [:change_reason, :rejection_reason] + end + end end From c6966268a20cccd78a95b3a88e2025298e76f727 Mon Sep 17 00:00:00 2001 From: evazion Date: Thu, 19 Jan 2017 23:40:03 +0000 Subject: [PATCH 2/2] Remove 'reason' from name change request form; update copy. --- app/views/user_name_change_requests/new.html.erb | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/app/views/user_name_change_requests/new.html.erb b/app/views/user_name_change_requests/new.html.erb index 6fc582a58..55e6d065e 100644 --- a/app/views/user_name_change_requests/new.html.erb +++ b/app/views/user_name_change_requests/new.html.erb @@ -1,6 +1,8 @@

Name Change Request

-

You can request a name change but it must be approved. Factors that go into consideration include your upload and update history, and your user feedback.

+

You can request a name change once per week. Your previous names will still +be visible on your profile to other Danbooru members, but they won't be visible +to search engines.

<%= error_messages_for "change_request" %> @@ -9,11 +11,6 @@ <%= text_field_tag "desired_name" %> - -
- - <%= text_field_tag "reason" %> -
<%= submit_tag "Submit", :data => { :disable_with => "Submitting..." } %>