From 31725a06841bbff718c5f019f318ea23d827f829 Mon Sep 17 00:00:00 2001
From: justcool393 <justcool393@gmail.com>
Date: Tue, 4 Oct 2022 16:48:01 -0700
Subject: [PATCH] security: don't leak post contents to embeds and other stuff
 for removed/deleted posts

---
 files/classes/submission.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/files/classes/submission.py b/files/classes/submission.py
index 36d529b9b0..1078a77316 100644
--- a/files/classes/submission.py
+++ b/files/classes/submission.py
@@ -334,6 +334,8 @@ class Submission(Base):
 	@lazy
 	def realbody(self, v, listing=False):
 		if self.club and not (v and (v.paid_dues or v.id == self.author_id)): return f"<p>{CC} ONLY</p>"
+		if self.deleted_utc != 0 and not (v and (v.admin_level >= 2) or v.id == self.author.id): return "[Deleted by user]"
+		if self.is_banned and not (v and v.admin_level >= 2): return "[Removed by admins]";
 
 		body = self.body_html or ""
 
@@ -401,6 +403,8 @@ class Submission(Base):
 
 	@lazy
 	def plainbody(self, v):
+		if self.deleted_utc != 0 and not (v and (v.admin_level >= 2) or v.id == self.author.id): return "[Deleted by user]"
+		if self.is_banned and not (v and v.admin_level >= 2): return "[Removed by admins]"
 		if self.club and not (v and (v.paid_dues or v.id == self.author_id)): return f"<p>{CC} ONLY</p>"
 
 		body = self.body