FIX: don't leak whisper count in user card

2025-02-25 18:55:32 -06:00 · 2017-09-14 20:08:16 +02:00
parent 39adf2588a
commit 797936d2c5
4 changed files with 34 additions and 7 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -50,7 +50,7 @@ class UsersController < ApplicationController

    topic_id = params[:include_post_count_for].to_i
    if topic_id != 0
-      user_serializer.topic_post_count = { topic_id => Post.where(topic_id: topic_id, user_id: @user.id).count }
+      user_serializer.topic_post_count = { topic_id => Post.secured(guardian).where(topic_id: topic_id, user_id: @user.id).count }
    end

    if !params[:skip_track_visit] && (@user != current_user)