SECURITY: Don't allow moderators to view the admins inbox

2025-02-17 07:52:45 +08:00 · 2020-09-07 17:52:51 +01:00 · 2020-09-07 17:52:51 +01:00 · 18d35bf64a
commit 18d35bf64a
parent 0b8e7d88fe
1 changed files with 2 additions and 1 deletions
--- a/lib/topic_query.rb
+++ b/lib/topic_query.rb
@ -540,7 +540,8 @@ class TopicQuery
              SELECT group_id
              FROM group_users
              WHERE user_id = #{user.id.to_i}
-              OR #{user.staff?}
+              OR #{user.admin?}
+              OR (#{user.staff?} AND group_id <> #{Group::AUTO_GROUPS[:admins]})
            )
          )
          AND group_id IN (SELECT id FROM groups WHERE name ilike ?)