From 4eb0a6413530477bfe8ac2ef2a2ef8923607dbf8 Mon Sep 17 00:00:00 2001
From: Albert Yi <ayi@desk.com>
Date: Tue, 6 Dec 2016 14:34:46 -0800
Subject: [PATCH] fix exploit for viewing private dmails

---
 app/controllers/dmails_controller.rb      | 5 ++++-
 test/functional/dmails_controller_test.rb | 6 ++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/controllers/dmails_controller.rb b/app/controllers/dmails_controller.rb
index f6acf1c1b..de6619fc7 100644
--- a/app/controllers/dmails_controller.rb
+++ b/app/controllers/dmails_controller.rb
@@ -5,7 +5,9 @@ class DmailsController < ApplicationController
 
   def new
     if params[:respond_to_id]
-      @dmail = Dmail.find(params[:respond_to_id]).build_response(:forward => params[:forward])
+      parent = Dmail.find(params[:respond_to_id])
+      check_privilege(parent)
+      @dmail = parent.build_response(:forward => params[:forward])
     else
       @dmail = Dmail.new(params[:dmail])
     end
@@ -58,6 +60,7 @@ class DmailsController < ApplicationController
   end
 
 private
+
   def check_privilege(dmail)
     if !dmail.visible_to?(CurrentUser.user, params[:key])
       raise User::PrivilegeError
diff --git a/test/functional/dmails_controller_test.rb b/test/functional/dmails_controller_test.rb
index 90b761e98..a89f1764c 100644
--- a/test/functional/dmails_controller_test.rb
+++ b/test/functional/dmails_controller_test.rb
@@ -22,6 +22,12 @@ class DmailsControllerTest < ActionController::TestCase
       end
 
       context "with a respond_to_id" do
+        should "check privileges" do
+          @user2 = FactoryGirl.create(:user)
+          get :new, {:respond_to_id => @dmail}, {:user_id => @user2.id}
+          assert_response 403
+        end
+
         should "prefill the fields" do
           get :new, {:respond_to_id => @dmail}, {:user_id => @user.id}
           assert_response :success