From 411696b85e3397438d37e6f336ead66d692dadd7 Mon Sep 17 00:00:00 2001
From: Arpit Jalan <arpit@techapj.com>
Date: Sun, 15 Apr 2018 17:59:58 +0530
Subject: [PATCH] SECURITY: do not disclose topic titles on /unsubscribed page
 to unauthorized users

---
 app/controllers/email_controller.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/controllers/email_controller.rb b/app/controllers/email_controller.rb
index 9701cfc096d..c665220cc1b 100644
--- a/app/controllers/email_controller.rb
+++ b/app/controllers/email_controller.rb
@@ -110,8 +110,10 @@ class EmailController < ApplicationController
 
   def unsubscribed
     @email = params[:email]
-    raise Discourse::NotFound if !User.find_by_email(params[:email])
+    user = User.find_by_email(params[:email])
+    raise Discourse::NotFound unless user
     @topic = Topic.find_by(id: params[:topic_id].to_i) if params[:topic_id]
+    raise Discourse::NotFound unless Guardian.new(user).can_see?(@topic)
   end
 
 end