github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-29 11:48:08 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: don't reveal category details to users that do not have access

Browse Source
This commit is contained in:
Arpit Jalan
2019-08-19 12:38:28 +05:30
parent 897cdfb596
commit 24f94c40a6
2 changed files with 29 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/categories_controller.rb
View File

@ -117,6 +117,8 @@ class CategoriesController < ApplicationController
end
def show
guardian.ensure_can_see!(@category)
if Category.topic_create_allowed(guardian).where(id: @category.id).exists?
@category.permission = CategoryGroup.permission_types[:full]
end