From 5609a96e05f782550c9b182fbdba433b18abae22 Mon Sep 17 00:00:00 2001 From: TLSM Date: Tue, 21 Jun 2022 02:38:18 -0400 Subject: [PATCH] Fix info leak of removed & deleted via post embeds. Embedded local posts (posts which link to posts on the same site) embed the linked post using submission_listing.html via helpers/jinja2:post_embed. This suffered from much the same issue recently fixed in submission.html through the addition of `v_forbid_deleted` in the template before outputting privileged information. A similar fix has been applied to submission_listing. Unfortunately, this is not the most elegant fix. Surely this would be better resolved more centrally in the submission model. However, I am not clear at present about the precise interaction between deletion, removal, and realbody & realurl in all of the different places they are used. This commit fixes the problem, but it also highlights a potential future refactoring target. --- files/templates/submission_listing.html | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/files/templates/submission_listing.html b/files/templates/submission_listing.html index d0584e0c26..c36db1001c 100644 --- a/files/templates/submission_listing.html +++ b/files/templates/submission_listing.html @@ -65,6 +65,8 @@ {% set voted=-2 %} {% endif %} +{% set v_forbid_deleted = (p.deleted_utc != 0 or p.is_banned) and not (v and v.admin_level >= 2) and not (v and v.id == p.author_id) %} + {% if p.active_flags(v) %}
Reported by: @@ -112,6 +114,7 @@
+ {% if not v_forbid_deleted %}
{% if p.club and not (v and (v.paid_dues or v.id == p.author_id)) %} post thumnail @@ -135,6 +138,7 @@ {% endif %}
+ {% endif %}
@@ -337,7 +341,7 @@
-{% if not p.club or v and (v.paid_dues or v.id == p.author_id) %} +{% if (not p.club or v and (v.paid_dues or v.id == p.author_id)) and not v_forbid_deleted %} {% if p.realbody(v) %}
{{p.realbody(v) | safe}}