SECURITY: Don't allow moderators to view the admins inbox

SECURITY: Don’t allow moderators to view the admins inbox

diff --git a/lib/topic_query.rb b/lib/topic_query.rb
index ec6133c..fcffb42 100644
--- a/lib/topic_query.rb
+++ b/lib/topic_query.rb
@@ -540,7 +540,8 @@ class TopicQuery
               SELECT group_id
               FROM group_users
               WHERE user_id = #{user.id.to_i}
-              OR #{user.staff?}
+              OR #{user.admin?}
+              OR (#{user.staff?} AND group_id <> #{Group::AUTO_GROUPS[:admins]})
             )
           )
           AND group_id IN (SELECT id FROM groups WHERE name ilike ?)

GitHub sha: 18d35bf6

2 Likes

Looks good :+1:. Will need a test though :wink:

2 Likes

Tests were added in SECURITY: Don't allow moderators to list PMs of all groups..

1 Like