jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

forum post votes: fix exploits with voting on mod-only forum posts.

Browse Source 
* Don't allow unprivileged users to vote on mod-only forum posts.
* Don't allow unprivileged users to see votes on mod-only forum posts.
This commit is contained in:
evazion
2020-02-16 04:51:23 -06:00
parent bf4dbf1449
commit 835cc23f66
2 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/forum_post_votes_controller.rb
View File

@@ -3,14 +3,14 @@ class ForumPostVotesController < ApplicationController
before_action :member_only, only: [:create, :destroy]
def index
@forum_post_votes = ForumPostVote.paginated_search(params, count_pages: true)
@forum_post_votes = ForumPostVote.visible.paginated_search(params, count_pages: true)
@forum_post_votes = @forum_post_votes.includes(:creator, forum_post: [:creator, :topic]) if request.format.html?
respond_with(@forum_post_votes)
end
def create
@forum_post = ForumPost.find(params[:forum_post_id])
@forum_post = ForumPost.permitted.find(params[:forum_post_id])
@forum_post_vote = @forum_post.votes.create(forum_post_vote_params.merge(creator: CurrentUser.user))
respond_with(@forum_post_vote)
end