Prevent non-authors from viewing valuation comments

2018-01-31 18:38:44 +01:00
parent fcf5e6223b
commit bca150bcd5
1 changed files with 5 additions and 1 deletions
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -21,7 +21,11 @@ class CommentsController < ApplicationController

  def show
    @comment = Comment.find(params[:id])
-    set_comment_flags(@comment.subtree)
+    if @comment.valuation && @comment.author != current_user
+      raise ActiveRecord::RecordNotFound
+    else
+      set_comment_flags(@comment.subtree)
+    end
  end

  def vote