jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix exploit making user name change reasons being public in API.

Browse Source
This commit is contained in:
evazion
2017-01-19 23:38:27 +00:00
parent 75c13cc953
commit afb8eeea30
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/models/user_name_change_request.rb
View File

@@ -89,4 +89,12 @@ class UserNameChangeRequest < ActiveRecord::Base
return true
end
end
def hidden_attributes
if CurrentUser.is_admin? || user == CurrentUser.user
[]
else
super + [:change_reason, :rejection_reason]
end
end
end