From d9c05fcfc883e6cfe5d14aacfae36cd6eb1e8c8b Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Fri, 7 Feb 2014 14:24:19 +1100
Subject: [PATCH] SECURITY: dissalow mods from seeing PMs

---
 .../javascripts/discourse/controllers/user_controller.js   | 2 +-
 lib/guardian.rb                                            | 7 ++++++-
 lib/guardian/post_guardian.rb                              | 5 ++++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/app/assets/javascripts/discourse/controllers/user_controller.js b/app/assets/javascripts/discourse/controllers/user_controller.js
index 541f116ea32..65b03627449 100644
--- a/app/assets/javascripts/discourse/controllers/user_controller.js
+++ b/app/assets/javascripts/discourse/controllers/user_controller.js
@@ -15,7 +15,7 @@ Discourse.UserController = Discourse.ObjectController.extend({
   collapsedInfo: Em.computed.not('indexStream'),
 
   canSeePrivateMessages: function() {
-    return this.get('viewingSelf') || Discourse.User.currentProp('staff');
+    return this.get('viewingSelf') || Discourse.User.currentProp('admin');
   }.property('viewingSelf'),
 
   privateMessageView: function() {
diff --git a/lib/guardian.rb b/lib/guardian.rb
index d6709b40cf0..4ebe2804bf1 100644
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@@ -13,6 +13,7 @@ class Guardian
     def blank?; true; end
     def admin?; false; end
     def staff?; false; end
+    def moderator?; false; end
     def approved?; false; end
     def secure_category_ids; []; end
     def topic_create_allowed_category_ids; []; end
@@ -44,6 +45,10 @@ class Guardian
     @user.staff?
   end
 
+  def is_moderator?
+    @user.moderator?
+  end
+
   def is_developer?
     @user &&
     is_admin? &&
@@ -172,7 +177,7 @@ class Guardian
   end
 
   def can_see_private_messages?(user_id)
-    is_staff? || (authenticated? && @user.id == user_id)
+    is_admin? || (authenticated? && @user.id == user_id)
   end
 
   def can_edit_user?(user)
diff --git a/lib/guardian/post_guardian.rb b/lib/guardian/post_guardian.rb
index 7c1d041627d..7c3ad3d2728 100644
--- a/lib/guardian/post_guardian.rb
+++ b/lib/guardian/post_guardian.rb
@@ -100,7 +100,10 @@ module PostGuardain
   end
 
   def can_see_post?(post)
-    post.present? && (is_staff? || (!post.deleted_at.present? && can_see_topic?(post.topic)))
+    post.present? &&
+      (is_admin? ||
+      ((is_moderator? || !post.deleted_at.present?) &&
+        can_see_topic?(post.topic)))
   end
 
   def can_see_post_revision?(post_revision)