70b82010a7
Fix an exploit in #4553. It was possible to use nested searches to infer the contents of private forum posts. For example: * https://danbooru.donmai.us/users?search[forum_posts][id]=121683&search[forum_posts][body_matches]=h* * https://danbooru.donmai.us/users?search[forum_posts][id]=121683&search[forum_posts][body_matches]=he* * https://danbooru.donmai.us/users?search[forum_posts][id]=121683&search[forum_posts][body_matches]=hel* * https://danbooru.donmai.us/users?search[forum_posts][id]=121683&search[forum_posts][body_matches]=hell* * https://danbooru.donmai.us/users?search[forum_posts][id]=121683&search[forum_posts][body_matches]=hello* The above searches returned the user 'albert', indicating that the private forum post with id 121683 starts with the word 'hello'. By guessing the id of a private forum post (which can be done by searching for gaps in the id sequence), and by guessing text within the post (which can be done by sequentially guessing characters with wildcard searches), one could eventually infer the full text of a private forum post. The fix is to make nested searches only return records that are visible to the current user.