fixes #2677: secure way of sharing dmails

app/models/dmail.rb

@@ -86,7 +86,7 @@ class Dmail < ActiveRecord::Base
     end
     
     def method_attributes
-      super + [:hash]
+      super + [:key]
     end
   end
   
@@ -222,12 +222,13 @@ class Dmail < ActiveRecord::Base
     end
   end
   
-  def hash
+  def key
-    Digest::SHA1.hexdigest("#{title} #{body}")
+    digest = OpenSSL::Digest.new("sha256")
+    OpenSSL::HMAC.hexdigest(digest, Danbooru.config.email_key, "#{title} #{body}")
   end
   
   def visible_to?(user, key)
-    owner_id == user.id || (user.is_moderator? && key == self.hash)
+    owner_id == user.id || (user.is_moderator? && key == self.key)
   end
 
 end

app/views/dmails/show.html.erb

@@ -22,6 +22,7 @@
         <%= link_to "Respond", new_dmail_path(:respond_to_id => @dmail) %>
         | <%= link_to "Forward", new_dmail_path(:respond_to_id => @dmail, :forward => true) %>
         | <%= link_to "Filter messages like these", edit_maintenance_user_dmail_filter_path(:dmail_id => @dmail.id) %>
+        | <%= link_to "Permalink", dmail_path(@dmail, :key => @dmail.key), :title => "Use this URL to privately share with a moderator" %>
       </p>
     </div>
   </div>