SECURITY: do not show private topic title on /unsubscribed page

SECURITY: do not show private topic title on /unsubscribed page

diff --git a/app/controllers/email_controller.rb b/app/controllers/email_controller.rb
index c665220..76fcd5f 100644
--- a/app/controllers/email_controller.rb
+++ b/app/controllers/email_controller.rb
@@ -110,10 +110,11 @@ class EmailController < ApplicationController
 
   def unsubscribed
     @email = params[:email]
+    @topic_id = params[:topic_id]
     user = User.find_by_email(params[:email])
     raise Discourse::NotFound unless user
-    @topic = Topic.find_by(id: params[:topic_id].to_i) if params[:topic_id]
-    raise Discourse::NotFound unless Guardian.new(user).can_see?(@topic)
+    topic = Topic.find_by(id: params[:topic_id].to_i) if @topic_id
+    @topic = topic if topic && Guardian.new(nil).can_see?(topic)
   end
 
 end
diff --git a/app/views/email/unsubscribed.html.erb b/app/views/email/unsubscribed.html.erb
index a593bfe..e57a2a1 100644
--- a/app/views/email/unsubscribed.html.erb
+++ b/app/views/email/unsubscribed.html.erb
@@ -7,8 +7,8 @@
   </p>
 
   <% if @topic %>
-  <p>
-    <%=t("unsubscribed.topic_description", link: render_topic_title(@topic)).html_safe%>
-  </p>
+    <p><%=t("unsubscribed.topic_description", link: render_topic_title(@topic)).html_safe%></p>
+  <% elsif @topic_id %>
+    <p><%=t("unsubscribed.private_topic_description")%></p>
   <% end %>
 </div>
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 16df686..4974f10 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -760,6 +760,7 @@ en:
     title: "Unsubscribed!"
     description: "<b>%{email}</b> has been unsubscribed. To change your email settings <a href='%{url}'>visit your user preferences</a>."
     topic_description: "To re-subscribe to %{link}, use the notification control at the bottom or right of the topic."
+    private_topic_description: "To re-subscribe, use the notification control at the bottom or right of the topic."
 
   unsubscribe:
     title: "Unsubscribe"
diff --git a/spec/requests/email_controller_spec.rb b/spec/requests/email_controller_spec.rb
index cd05901..370f697 100644
--- a/spec/requests/email_controller_spec.rb
+++ b/spec/requests/email_controller_spec.rb
@@ -1,6 +1,10 @@
 require 'rails_helper'
 
 RSpec.describe EmailController do
+  let(:user) { Fabricate(:user) }
+  let(:topic) { Fabricate(:topic) }
+  let(:private_topic) { Fabricate(:private_message_topic) }
+
   describe '#unsubscribed' do
     describe 'when email is invalid' do
       it 'should return the right response' do
@@ -9,5 +13,21 @@ RSpec.describe EmailController do
         expect(response.status).to eq(404)
       end
     end
+
+    describe 'when topic is public' do
+      it 'should return the right response' do
+        get '/email/unsubscribed', params: { email: user.email, topic_id: topic.id }
+        expect(response).to be_success
+        expect(response.body).to include(topic.title)
+      end
+    end
+
+    describe 'when topic is private' do
+      it 'should return the right response' do
+        get '/email/unsubscribed', params: { email: user.email, topic_id: private_topic.id }
+        expect(response).to be_success
+        expect(response.body).to_not include(private_topic.title)
+      end
+    end
   end
 end

GitHub sha: 8d1e8fa7

This commit has been mentioned on Discourse Meta. There might be relevant details there: