mirror of
https://github.com/discourse/discourse.git
synced 2024-11-23 15:54:23 +08:00
b609f6c11c
It was possible to see notifications of other users using routes: - notifications/responses - notifications/likes-received - notifications/mentions - notifications/edits We weren't showing anything private (like notifications about private messages), only things that're publicly available in other places. But anyway, it feels strange that it's possible to look at notifications of someone else. Additionally, there is a risk that we can unintentionally leak something on these pages in the future. This commit restricts these routes. |
||
|---|---|---|
| .. | ||
| bookmark_guardian.rb | ||
| category_guardian.rb | ||
| ensure_magic.rb | ||
| group_guardian.rb | ||
| post_guardian.rb | ||
| post_revision_guardian.rb | ||
| tag_guardian.rb | ||
| topic_guardian.rb | ||
| user_guardian.rb | ||