From 240140ee59f56cabf9cd2b3a3470eecd5089f611 Mon Sep 17 00:00:00 2001
From: Neil Williams <neil@reddit.com>
Date: Fri, 14 Feb 2014 14:18:27 -0800
Subject: [PATCH] /gold: Ensure user should be allowed to see a comment.

This fixes an information disclosure vulnerability reported by Jordan
Milne (/u/largenocream).
---
 r2/r2/controllers/front.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/r2/r2/controllers/front.py b/r2/r2/controllers/front.py
index b95db8265..1a06da132 100755
--- a/r2/r2/controllers/front.py
+++ b/r2/r2/controllers/front.py
@@ -1494,8 +1494,8 @@ class FormsController(RedditController):
 
         if comment:
             comment_sr = Subreddit._byID(comment.sr_id, data=True)
-            if (comment._deleted or
-                    comment._spam or
+            if (comment._deleted or comment._spam or
+                    not comment_sr.can_view(c.user) or
                     not comment_sr.allow_comment_gilding):
                 comment = None