FIX: better upcoming-events security (#25)

FIX: better upcoming-events security (#25)

diff --git a/app/controllers/discourse_calendar/post_events_controller.rb b/app/controllers/discourse_calendar/post_events_controller.rb
index 52891cd..7ee1f8d 100644
--- a/app/controllers/discourse_calendar/post_events_controller.rb
+++ b/app/controllers/discourse_calendar/post_events_controller.rb
@@ -5,7 +5,28 @@ module DiscourseCalendar
     before_action :ensure_logged_in
 
     def index
-      post_events = PostEvent.visible.where("starts_at > ?", Time.now).limit(10)
+      # TODO: optimize this
+      post_events_topics_ids = PostEvent
+        .visible
+        .where('starts_at > ?', Time.now)
+        .joins(:post)
+        .limit(100)
+        .select('posts.topic_id')
+
+      secured_topic_ids = Topic
+        .visible
+        .listable_topics
+        .where(id: post_events_topics_ids)
+        .secured(guardian)
+        .select(:id)
+
+      post_events = PostEvent
+        .visible
+        .joins(:post)
+        .where('posts.topic_id' => secured_topic_ids)
+        .where('starts_at > ?', Time.now)
+        .limit(10)
+
       render json: ActiveModel::ArraySerializer.new(
         post_events,
         each_serializer: PostEventSerializer,

GitHub sha: 61565eda

This commit appears in #25 which was merged by jjaffeux.