From 5d54ba5096524f134506a67515ae2dfa2b72ad56 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Sun, 30 Oct 2016 15:49:01 -0500
Subject: [PATCH] Fix listing private topics in /forum_posts.

Fix an exploit allowing viewing of private topics with

  http://danbooru.donmai.us/forum_posts
---
 app/models/forum_post.rb  | 6 +++++-
 app/models/forum_topic.rb | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/app/models/forum_post.rb b/app/models/forum_post.rb
index a8a05f3e9..e0a1e65df 100644
--- a/app/models/forum_post.rb
+++ b/app/models/forum_post.rb
@@ -54,8 +54,12 @@ class ForumPost < ActiveRecord::Base
       where("forum_posts.is_deleted = false")
     end
 
+    def permitted
+      joins(:topic).where("min_level <= ?", CurrentUser.level)
+    end
+
     def search(params)
-      q = where("true")
+      q = permitted
       return q if params.blank?
 
       if params[:creator_id].present?
diff --git a/app/models/forum_topic.rb b/app/models/forum_topic.rb
index 344fe6c66..6c82d9112 100644
--- a/app/models/forum_topic.rb
+++ b/app/models/forum_topic.rb
@@ -57,8 +57,12 @@ class ForumTopic < ActiveRecord::Base
       where("is_deleted = false")
     end
 
+    def permitted
+      where("min_level <= ?", CurrentUser.level)
+    end
+
     def search(params)
-      q = where("true")
+      q = permitted
       return q if params.blank?
 
       if params[:title_matches].present?