From 310f1baa09e8cd0175f3671b8bb786a86eb0bd1e Mon Sep 17 00:00:00 2001 From: rubenwardy Date: Tue, 26 Aug 2025 18:47:02 +0100 Subject: [PATCH] Prevent mentioned users being added to private threads --- app/blueprints/threads/__init__.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/blueprints/threads/__init__.py b/app/blueprints/threads/__init__.py index e4a278a8..0b0092a7 100644 --- a/app/blueprints/threads/__init__.py +++ b/app/blueprints/threads/__init__.py @@ -254,6 +254,9 @@ def view(id): if mentioned is None: continue + if not thread.check_perm(mentioned, Permission.SEE_THREAD): + continue + msg = "Mentioned by {} in '{}'".format(current_user.display_name, thread.title) add_notification(mentioned, current_user, NotificationType.THREAD_REPLY, msg, thread.get_view_url(), thread.package)