From afb8eeea303e640b4ff23859345e1aa1f0ae3285 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Thu, 19 Jan 2017 23:38:27 +0000
Subject: [PATCH] Fix exploit making user name change reasons being public in
 API.

---
 app/models/user_name_change_request.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/app/models/user_name_change_request.rb b/app/models/user_name_change_request.rb
index 10c1ff795..3075d685c 100644
--- a/app/models/user_name_change_request.rb
+++ b/app/models/user_name_change_request.rb
@@ -89,4 +89,12 @@ class UserNameChangeRequest < ActiveRecord::Base
       return true
     end
   end
+
+  def hidden_attributes
+    if CurrentUser.is_admin? || user == CurrentUser.user
+      []
+    else
+      super + [:change_reason, :rejection_reason]
+    end
+  end
 end