Fix listing private topics in /forum_posts.

Fix an exploit allowing viewing of private topics with http://danbooru.donmai.us/forum_posts
2016-10-30 15:49:01 -05:00
parent 4e9f7391e6
commit 5d54ba5096
2 changed files with 10 additions and 2 deletions
--- a/app/models/forum_post.rb
+++ b/app/models/forum_post.rb
@@ -54,8 +54,12 @@ class ForumPost < ActiveRecord::Base
      where("forum_posts.is_deleted = false")
    end

+    def permitted
+      joins(:topic).where("min_level <= ?", CurrentUser.level)
+    end
+
    def search(params)
-      q = where("true")
+      q = permitted
      return q if params.blank?

      if params[:creator_id].present?
--- a/app/models/forum_topic.rb
+++ b/app/models/forum_topic.rb
@@ -57,8 +57,12 @@ class ForumTopic < ActiveRecord::Base
      where("is_deleted = false")
    end

+    def permitted
+      where("min_level <= ?", CurrentUser.level)
+    end
+
    def search(params)
-      q = where("true")
+      q = permitted
      return q if params.blank?

      if params[:title_matches].present?