thread configuration cannot occur if one is not able to view the thread. unlisted forums are completely invisible to those without view permissions

2 files changed, 7 insertions, 0 deletions

diff --git a/apioforum/forum.py b/apioforum/forum.py
index ce0215c..108f0ba 100644
--- a/apioforum/forum.py
+++ b/apioforum/forum.py
@@ -83,6 +83,11 @@ def requires_bureaucrat(f):
 
 @forum_route("")
 def view_forum(forum):
+    # user should not be able to see anything about the forum if it is unlisted
+    # and the user does not have permission to see things
+    if forum['unlisted'] and not has_permission(forum['id'], g.user, "p_view_threads"):
+        abort(403)
+
     db = get_db()
     threads = db.execute(
         """SELECT
diff --git a/apioforum/thread.py b/apioforum/thread.py
index e9deea8..3c054d7 100644
--- a/apioforum/thread.py
+++ b/apioforum/thread.py
@@ -314,6 +314,8 @@ def config_thread(thread_id):
     err = None
     if g.user is None:
         err = "you need to be logged in to do that"
+    elif not has_permission(thread['forum'], g.user, "p_view_threads"):
+        err = "you do not have permission to do that"
     elif g.user != thread['creator'] and not has_permission(thread['forum'], g.user, "p_manage_threads"):
         err = "you can only configure threads that you own"