mirror of
https://github.com/discourse/discourse.git
synced 2024-12-17 01:33:42 +08:00
SECURITY: do not disclose topic titles on /unsubscribed page to unauthorized users
This commit is contained in:
parent
0bf1c476d7
commit
411696b85e
|
@ -110,8 +110,10 @@ class EmailController < ApplicationController
|
||||||
|
|
||||||
def unsubscribed
|
def unsubscribed
|
||||||
@email = params[:email]
|
@email = params[:email]
|
||||||
raise Discourse::NotFound if !User.find_by_email(params[:email])
|
user = User.find_by_email(params[:email])
|
||||||
|
raise Discourse::NotFound unless user
|
||||||
@topic = Topic.find_by(id: params[:topic_id].to_i) if params[:topic_id]
|
@topic = Topic.find_by(id: params[:topic_id].to_i) if params[:topic_id]
|
||||||
|
raise Discourse::NotFound unless Guardian.new(user).can_see?(@topic)
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue
Block a user