From c565694c99dca744b8b766eb30f7a9d33ef84ab4 Mon Sep 17 00:00:00 2001
From: Max Goodman <max@reddit.com>
Date: Tue, 20 Aug 2013 16:47:34 -0700
Subject: [PATCH] Restrict access to private subreddit data via the API.

Thanks to a report by Jordan Milne.
---
 r2/r2/lib/jsontemplates.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/r2/r2/lib/jsontemplates.py b/r2/r2/lib/jsontemplates.py
index 5959c709e..6bc61e52b 100755
--- a/r2/r2/lib/jsontemplates.py
+++ b/r2/r2/lib/jsontemplates.py
@@ -247,6 +247,18 @@ class SubredditJsonTemplate(ThingJsonTemplate):
         user_is_subscriber="is_subscriber",
     )
 
+    _private_attrs = set([
+        "accounts_active",
+        "comment_score_hide_mins",
+        "description",
+        "description_html",
+        "header_img",
+        "header_size",
+        "header_title",
+        "submit_link_label",
+        "submit_text_label",
+    ])
+
     def raw_data(self, thing):
         data = ThingJsonTemplate.raw_data(self, thing)
         permissions = getattr(thing, 'mod_permissions', None)
@@ -256,6 +268,9 @@ class SubredditJsonTemplate(ThingJsonTemplate):
         return data
 
     def thing_attr(self, thing, attr):
+        if attr in self._private_attrs and not thing.can_view(c.user):
+            return None
+
         if attr == "_ups" and thing.hide_subscribers:
             return 0
         # Don't return accounts_active counts in /subreddits