From 9088fe719195d6031888ad2014d652ab524551b0 Mon Sep 17 00:00:00 2001
From: luap42 <21335202+luap42@users.noreply.github.com>
Date: Mon, 14 Dec 2020 10:31:23 +0100
Subject: [PATCH] Fix privilege escalation for tools display

Sounds scarier than it is; it's just that Tools and Show Flags Inline buttons were visible to the post author, even if they didn't have the flag_curate Abilities and so they were not connected to any action.
---
 app/views/posts/_expanded.html.erb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/views/posts/_expanded.html.erb b/app/views/posts/_expanded.html.erb
index 41c263d97..f6c43b3cd 100644
--- a/app/views/posts/_expanded.html.erb
+++ b/app/views/posts/_expanded.html.erb
@@ -230,6 +230,8 @@
                   <% end %>
                 <% end %>
               <% end %>
+            <% end %>
+            <% if check_your_privilege('flag_curate') %>
               <a href="javascript:void(0);" data-modal="#mod-tools-<%= post.id %>" class="tools--item">
                 <i class="fa fa-wrench"></i>
                 Tools
-- 
GitLab