From 93fb4f40d6990b13d4fc47e6fca0dd9c78a84123 Mon Sep 17 00:00:00 2001
From: justcool393 <justcool393@gmail.com>
Date: Tue, 4 Oct 2022 16:51:42 -0700
Subject: [PATCH] security: don't leak comment contents for removed/deleted
 comments

---
 files/classes/comment.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/files/classes/comment.py b/files/classes/comment.py
index 0423a5d32..7b55aca10 100644
--- a/files/classes/comment.py
+++ b/files/classes/comment.py
@@ -330,6 +330,8 @@ class Comment(Base):
 	def realbody(self, v):
 		if self.post and self.post.club and not (v and (v.paid_dues or v.id in [self.author_id, self.post.author_id] or (self.parent_comment and v.id == self.parent_comment.author_id))):
 			return f"<p>{CC} ONLY</p>"
+		if self.deleted_utc != 0 and not (v and (v.admin_level >= 2) or v.id == self.author.id): return "[Deleted by user]"
+		if self.is_banned and not (v and v.admin_level >= 2): return "[Removed by admins]";
 
 		body = self.body_html or ""
 
@@ -395,6 +397,8 @@ class Comment(Base):
 	def plainbody(self, v):
 		if self.post and self.post.club and not (v and (v.paid_dues or v.id in [self.author_id, self.post.author_id] or (self.parent_comment and v.id == self.parent_comment.author_id))):
 			return f"{CC} ONLY"
+		if self.deleted_utc != 0 and not (v and (v.admin_level >= 2) or v.id == self.author.id): return "[Deleted by user]"
+		if self.is_banned and not (v and v.admin_level >= 2): return "[Removed by admins]";
 
 		body = self.body