From 0627a12bc5a6d06d3f5d015e6a5e47f6e846361c Mon Sep 17 00:00:00 2001
From: justcool393 <justcool393@gmail.com>
Date: Fri, 7 Oct 2022 03:22:07 -0700
Subject: [PATCH] don't let users comment on things they can't see

---
 files/routes/comments.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/files/routes/comments.py b/files/routes/comments.py
index fd5deda04c..df1a744397 100644
--- a/files/routes/comments.py
+++ b/files/routes/comments.py
@@ -164,6 +164,7 @@ def comment(v):
 		if parent.author_id == v.id: rts = True
 	else: abort(400)
 	
+	if not parent.can_see(v): abort(404)
 	if parent.deleted_utc != 0: abort(404)
 
 	body = request.values.get("body", "").strip().replace('‎','')