Merge pull request #1817 from aladh/patch-1

Prevent unauthorized access to feeds with a single subscriber
2025-04-13 09:38:09 +00:00 · 2023-11-07 20:37:27 -05:00 · 2023-11-07 20:37:27 -05:00 · 67b1041401
commit 67b1041401
parent b9d0ae626f 54cbeeac3a
1 changed files with 4 additions and 0 deletions
--- a/apps/reader/views.py
+++ b/apps/reader/views.py
@ -671,6 +671,10 @@ def load_single_feed(request, feed_id):
    if feed.is_newsletter and not usersub:
        # User must be subscribed to a newsletter in order to read it
        raise Http404
+
+    if feed.num_subscribers = 1 and not usersub:
+        # This feed could be private so user must be subscribed in order to read it
+        raise Http404
    
    if page > 400:
        logging.user(request, "~BR~FK~SBOver page 400 on single feed: %s" % page)