github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 07:53:49 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Don't expose user post counts to users who can't see the topic (#19728)

Browse Source 
Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>

Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>
This commit is contained in:
Alan Guo Xiang Tan
2023-01-05 06:08:19 +08:00
committed by GitHub
parent c0e2d7bada
commit cbcf8a064b
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/users_controller.rb
View File

@ -72,7 +72,7 @@ class UsersController < ApplicationController
user_serializer = serializer_class.new(@user, scope: guardian, root: 'user')
topic_id = params[:include_post_count_for].to_i
if topic_id != 0
if topic_id != 0 && guardian.can_see?(Topic.find_by_id(topic_id))
user_serializer.topic_post_count = { topic_id => Post.secured(guardian).where(topic_id: topic_id, user_id: @user.id).count }
end
else