jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix exploit for viewing private dmails

Browse Source
This commit is contained in:
Albert Yi
2016-12-06 14:34:46 -08:00
parent deb62e0cdb
commit 4eb0a64135
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/dmails_controller.rb
View File

@@ -5,7 +5,9 @@ class DmailsController < ApplicationController
def new
if params[:respond_to_id]
@dmail = Dmail.find(params[:respond_to_id]).build_response(:forward => params[:forward])
parent = Dmail.find(params[:respond_to_id])
check_privilege(parent)
@dmail = parent.build_response(:forward => params[:forward])
else
@dmail = Dmail.new(params[:dmail])
end
@@ -58,6 +60,7 @@ class DmailsController < ApplicationController
end
private
def check_privilege(dmail)
if !dmail.visible_to?(CurrentUser.user, params[:key])
raise User::PrivilegeError