SECURITY: Do not leak private group names. (#7008)

2025-02-25 18:55:32 -06:00 · 2019-02-14 16:35:58 +02:00
parent b5fbd7385f
commit 70adb94008
3 changed files with 22 additions and 3 deletions
--- a/app/models/site.rb
+++ b/app/models/site.rb
@@ -71,6 +71,12 @@ class Site
    end
  end

+  def groups
+    groups = Group.visible_groups(@guardian.user)
+    groups = groups.where("automatic IS FALSE OR groups.id = #{Group::AUTO_GROUPS[:moderators]}") if !@guardian.is_staff?
+    groups
+  end
+
  def suppressed_from_latest_category_ids
    categories.select { |c| c.suppress_from_latest == true }.map(&:id)
  end