Prevent viewing deleted or banned posts

This fixes an exploit where you can view deleted and banned posts through the atom service regardless of user level.
2019-02-13 19:58:38 -08:00 · 2019-02-13 19:58:38 -08:00 · 2ec0fed659
commit 2ec0fed659
parent cf5e8365f7
1 changed files with 2 additions and 1 deletions
--- a/config/danbooru_default_config.rb
+++ b/config/danbooru_default_config.rb
@ -462,7 +462,8 @@ module Danbooru
    end

    def can_user_see_post?(user, post)
-     if is_user_restricted?(user) && is_post_restricted?(post)
+      return false if (post.is_deleted? || post.is_banned?) && !user.is_moderator?
+      if is_user_restricted?(user) && is_post_restricted?(post)
        false
      else
        true