From 4588c1526d6cb73b85f10e2c177d2686ebc9e26c Mon Sep 17 00:00:00 2001 From: citrons Date: Sun, 8 Aug 2021 01:07:13 +0000 Subject: thread configuration cannot occur if one is not able to view the thread. unlisted forums are completely invisible to those without view permissions --- apioforum/forum.py | 5 +++++ apioforum/thread.py | 2 ++ 2 files changed, 7 insertions(+) diff --git a/apioforum/forum.py b/apioforum/forum.py index ce0215c..108f0ba 100644 --- a/apioforum/forum.py +++ b/apioforum/forum.py @@ -83,6 +83,11 @@ def requires_bureaucrat(f): @forum_route("") def view_forum(forum): + # user should not be able to see anything about the forum if it is unlisted + # and the user does not have permission to see things + if forum['unlisted'] and not has_permission(forum['id'], g.user, "p_view_threads"): + abort(403) + db = get_db() threads = db.execute( """SELECT diff --git a/apioforum/thread.py b/apioforum/thread.py index e9deea8..3c054d7 100644 --- a/apioforum/thread.py +++ b/apioforum/thread.py @@ -314,6 +314,8 @@ def config_thread(thread_id): err = None if g.user is None: err = "you need to be logged in to do that" + elif not has_permission(thread['forum'], g.user, "p_view_threads"): + err = "you do not have permission to do that" elif g.user != thread['creator'] and not has_permission(thread['forum'], g.user, "p_manage_threads"): err = "you can only configure threads that you own" -- cgit v1.2.3