SECURITY: user summary could show topic links you have no permissions to
This commit is contained in:
parent
6a7bdfecc8
commit
b25e505fb7
2 changed files with 40 additions and 2 deletions
app/models
|
@ -16,6 +16,7 @@ class UserSummary
|
|||
Topic
|
||||
.secured(@guardian)
|
||||
.listable_topics
|
||||
.visible
|
||||
.where(user: @user)
|
||||
.order('like_count desc, created_at asc')
|
||||
.includes(:user, :category)
|
||||
|
@ -25,12 +26,13 @@ class UserSummary
|
|||
def replies
|
||||
Post
|
||||
.secured(@guardian)
|
||||
.includes(:user, {topic: :category})
|
||||
.references(:topic)
|
||||
.merge(Topic.listable_topics.visible.secured(@guardian))
|
||||
.where(user: @user)
|
||||
.where('post_number > 1')
|
||||
.where('topics.archetype <> ?', Archetype.private_message)
|
||||
.order('posts.like_count desc, posts.created_at asc')
|
||||
.includes(:user, {topic: :category})
|
||||
.references(:topic)
|
||||
.limit(MAX_TOPICS)
|
||||
end
|
||||
|
||||
|
|
Reference in a new issue