From 18d35bf64aff8931ee1072779324ead5c88f00c2 Mon Sep 17 00:00:00 2001
From: Daniel Waterworth <me@danielwaterworth.com>
Date: Mon, 7 Sep 2020 17:52:51 +0100
Subject: [PATCH] SECURITY: Don't allow moderators to view the admins inbox

---
 lib/topic_query.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/topic_query.rb b/lib/topic_query.rb
index ec6133ca747..fcffb422bef 100644
--- a/lib/topic_query.rb
+++ b/lib/topic_query.rb
@@ -540,7 +540,8 @@ class TopicQuery
               SELECT group_id
               FROM group_users
               WHERE user_id = #{user.id.to_i}
-              OR #{user.staff?}
+              OR #{user.admin?}
+              OR (#{user.staff?} AND group_id <> #{Group::AUTO_GROUPS[:admins]})
             )
           )
           AND group_id IN (SELECT id FROM groups WHERE name ilike ?)