/gold: Ensure user should be allowed to see a comment.

This fixes an information disclosure vulnerability reported by Jordan Milne (/u/largenocream).
2026-04-27 03:00:12 -04:00 · 2014-02-14 14:18:27 -08:00
parent f8bf988006
commit 240140ee59
1 changed files with 2 additions and 2 deletions
--- a/r2/r2/controllers/front.py
+++ b/r2/r2/controllers/front.py
@@ -1494,8 +1494,8 @@ class FormsController(RedditController):

        if comment:
            comment_sr = Subreddit._byID(comment.sr_id, data=True)
-            if (comment._deleted or
-                    comment._spam or
+            if (comment._deleted or comment._spam or
+                    not comment_sr.can_view(c.user) or
                    not comment_sr.allow_comment_gilding):
                comment = None