From 7cd4880e2409e04ec89ba35de18b1aa8c640c97e Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Fri, 8 Sep 2017 22:09:05 +0100
Subject: [PATCH] SECURITY: Only publish PM reply messagebus notifications to
 allowed users

---
 app/models/post.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/app/models/post.rb b/app/models/post.rb
index ad2b98e2f45..4f8ba9770ff 100644
--- a/app/models/post.rb
+++ b/app/models/post.rb
@@ -147,7 +147,13 @@ class Post < ActiveRecord::Base
     }.merge(options)
 
     if Topic.visible_post_types.include?(post_type)
-      MessageBus.publish(channel, msg, group_ids: topic.secure_group_ids)
+      if topic.archetype == Archetype.private_message
+        user_ids = User.where('admin or moderator').pluck(:id)
+        user_ids |= topic.allowed_users.pluck(:id)
+        MessageBus.publish(channel, msg, user_ids: user_ids)
+      else
+        MessageBus.publish(channel, msg, group_ids: topic.secure_group_ids)
+      end
     else
       user_ids = User.where('admin or moderator or id = ?', user_id).pluck(:id)
       MessageBus.publish(channel, msg, user_ids: user_ids)