FIX: users can see the raw email source of their own posts

2025-05-21 18:12:32 +08:00 · 2014-11-12 14:49:42 +01:00
parent fe541891fc
commit a036ac7bdc
3 changed files with 5 additions and 6 deletions
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -31,8 +31,8 @@ class PostsController < ApplicationController
  end

  def raw_email
-    guardian.ensure_can_view_raw_email!
    post = Post.find(params[:id].to_i)
+    guardian.ensure_can_view_raw_email!(post)
    render json: {raw_email: post.raw_email}
  end