From bca150bcd59db02a28ae07edb151a5d722e9095a Mon Sep 17 00:00:00 2001
From: Bertocq <bertocq@gmail.com>
Date: Wed, 31 Jan 2018 18:38:44 +0100
Subject: [PATCH] Prevent non-authors from viewing valuation comments

---
 app/controllers/comments_controller.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index 0f5cb680b..2709f2816 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -21,7 +21,11 @@ class CommentsController < ApplicationController
 
   def show
     @comment = Comment.find(params[:id])
-    set_comment_flags(@comment.subtree)
+    if @comment.valuation && @comment.author != current_user
+      raise ActiveRecord::RecordNotFound
+    else
+      set_comment_flags(@comment.subtree)
+    end
   end
 
   def vote