Fix exploit making user name change reasons being public in API.

2017-01-19 23:38:27 +00:00
parent 75c13cc953
commit afb8eeea30
1 changed files with 8 additions and 0 deletions
--- a/app/models/user_name_change_request.rb
+++ b/app/models/user_name_change_request.rb
@@ -89,4 +89,12 @@ class UserNameChangeRequest < ActiveRecord::Base
      return true
    end
  end
  def hidden_attributes
    if CurrentUser.is_admin? || user == CurrentUser.user
      []
    else
      super + [:change_reason, :rejection_reason]
    end
  end
 end