From 6a6d16852aa146a9fb7586653a1ec0e26fa643d3 Mon Sep 17 00:00:00 2001
From: Type-kun <workwork-1@yandex.ru>
Date: Mon, 16 Jan 2017 19:34:31 +0500
Subject: [PATCH] Final fix for #2658 - close exploit with "new".

---
 app/controllers/forum_posts_controller.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/controllers/forum_posts_controller.rb b/app/controllers/forum_posts_controller.rb
index 2125886be..e3970036a 100644
--- a/app/controllers/forum_posts_controller.rb
+++ b/app/controllers/forum_posts_controller.rb
@@ -10,6 +10,10 @@ class ForumPostsController < ApplicationController
       @forum_topic = ForumTopic.find(params[:topic_id]) 
       raise User::PrivilegeError.new unless @forum_topic.visible?(CurrentUser.user)
     end
+    if params[:post_id]
+      quoted_post = ForumPost.find(params[:post_id])
+      raise User::PrivilegeError.new unless quoted_post.topic.visible?(CurrentUser.user)
+    end
     @forum_post = ForumPost.new_reply(params)
     respond_with(@forum_post)
   end