From aa614e393c600f41d3e922ecf295cf2c9217700d Mon Sep 17 00:00:00 2001
From: pmusaraj <pmusaraj@gmail.com>
Date: Wed, 12 Sep 2018 13:08:02 -0400
Subject: [PATCH] return 403 when trying drafts of another user

---
 app/controllers/drafts_controller.rb    | 8 ++------
 config/locales/server.en.yml            | 1 -
 spec/requests/drafts_controller_spec.rb | 6 ++----
 3 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/app/controllers/drafts_controller.rb b/app/controllers/drafts_controller.rb
index aa8840bd05c..00afdf2f7cb 100644
--- a/app/controllers/drafts_controller.rb
+++ b/app/controllers/drafts_controller.rb
@@ -16,8 +16,6 @@ class DraftsController < ApplicationController
       limit: params[:limit]
     }
 
-    help_key = "user_activity.no_drafts"
-
     if user == current_user
       stream = Draft.stream(opts)
       stream.each do |d|
@@ -31,15 +29,13 @@ class DraftsController < ApplicationController
           end
         end
       end
-
-      help_key += ".self"
     else
-      help_key += ".others"
+      raise Discourse::InvalidAccess
     end
 
     render json: {
       drafts: stream ? serialize_data(stream, DraftSerializer) : [],
-      no_results_help: I18n.t(help_key)
+      no_results_help: I18n.t("user_activity.no_drafts.self")
     }
 
   end
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index ce8b16cd090..202df128285 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -796,7 +796,6 @@ en:
       others: "No replies."
     no_drafts:
       self: "You have no drafts; begin composing a reply in any topic and it will be auto-saved as a new draft."
-      others: "You do not have permission to see drafts for this user."
 
   topic_flag_types:
     spam:
diff --git a/spec/requests/drafts_controller_spec.rb b/spec/requests/drafts_controller_spec.rb
index 141b790d6a1..85e45b1176a 100644
--- a/spec/requests/drafts_controller_spec.rb
+++ b/spec/requests/drafts_controller_spec.rb
@@ -1,4 +1,5 @@
 require 'rails_helper'
+require 'pp'
 
 describe DraftsController do
   it 'requires you to be logged in' do
@@ -28,11 +29,8 @@ describe DraftsController do
   it 'does not let a user see drafts stream of another user' do
     user_b = Fabricate(:user)
     Draft.set(user_b, 'xxx', 0, '{}')
-
     sign_in(Fabricate(:user))
     get "/drafts.json", params: { username: user_b.username }
-    expect(response.status).to eq(200)
-    parsed = JSON.parse(response.body)
-    expect(parsed["drafts"].length).to eq(0)
+    expect(response.status).to eq(403)
   end
 end