jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix listing private topics in /forum_posts.

Browse Source 
Fix an exploit allowing viewing of private topics with

  http://danbooru.donmai.us/forum_posts
This commit is contained in:
evazion
2016-10-30 15:49:01 -05:00
parent 4e9f7391e6
commit 5d54ba5096
2 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/models/forum_post.rb
View File

@@ -54,8 +54,12 @@ class ForumPost < ActiveRecord::Base
where("forum_posts.is_deleted = false") where("forum_posts.is_deleted = false")
end end
def permitted
joins(:topic).where("min_level <= ?", CurrentUser.level)
end
def search(params) def search(params)
q = where("true") q = permitted
return q if params.blank? return q if params.blank?
if params[:creator_id].present? if params[:creator_id].present?

6
app/models/forum_topic.rb
View File

@@ -57,8 +57,12 @@ class ForumTopic < ActiveRecord::Base
where("is_deleted = false") where("is_deleted = false")
end end
def permitted
where("min_level <= ?", CurrentUser.level)
end
def search(params) def search(params)
q = where("true") q = permitted
return q if params.blank? return q if params.blank?
if params[:title_matches].present? if params[:title_matches].present?