diff --git a/files/routes/users.py b/files/routes/users.py index f4274a441..e372120b2 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -894,12 +894,13 @@ def followers(v, username): @auth_required def following(v, username): u = get_user(username, v=v) + if not (v.id == u.id or v.admin_level >= PERMS['USER_FOLLOWS_VISIBLE']): abort(403) page = get_page() - users = g.db.query(User).join(Follow, Follow.user_id == u.id) \ + users = g.db.query(Follow, User).join(Follow, Follow.user_id == u.id) \ .filter(Follow.target_id == User.id) total = users.count() diff --git a/files/templates/userpage/following.html b/files/templates/userpage/following.html index f9a5aff68..d5a29d185 100644 --- a/files/templates/userpage/following.html +++ b/files/templates/userpage/following.html @@ -13,7 +13,7 @@
-{% for user in users %} +{% for follow, user in users %}