SECURITY: dissalow mods from seeing PMs

2025-02-25 18:55:32 -06:00 · 2014-02-07 14:24:19 +11:00
parent 93434be16d
commit d9c05fcfc8
3 changed files with 11 additions and 3 deletions
--- a/lib/guardian/post_guardian.rb
+++ b/lib/guardian/post_guardian.rb
@@ -100,7 +100,10 @@ module PostGuardain
  end

  def can_see_post?(post)
-    post.present? && (is_staff? || (!post.deleted_at.present? && can_see_topic?(post.topic)))
+    post.present? &&
+      (is_admin? ||
+      ((is_moderator? || !post.deleted_at.present?) &&
+        can_see_topic?(post.topic)))
  end

  def can_see_post_revision?(post_revision)