From 44a4bb6e6f8884b11a27628bcf5eb51f54f6d9c7 Mon Sep 17 00:00:00 2001
From: flashwave <me@flash.moe>
Date: Sun, 2 Jun 2024 19:57:58 +0000
Subject: [PATCH] Prevent access to private messages when impersonating a user.

---
 src/Messages/MessagesRoutes.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/Messages/MessagesRoutes.php b/src/Messages/MessagesRoutes.php
index fe345ca..334fd94 100644
--- a/src/Messages/MessagesRoutes.php
+++ b/src/Messages/MessagesRoutes.php
@@ -39,6 +39,10 @@ class MessagesRoutes extends RouteHandler {
         if(!$this->authInfo->isLoggedIn())
             return 401;
 
+        // do not allow access to PMs when impersonating in production mode
+        if(!MSZ_DEBUG && $this->authInfo->isImpersonating())
+            return 403;
+
         $globalPerms = $this->authInfo->getPerms('global');
         if(!$globalPerms->check(Perm::G_MESSAGES_VIEW))
             return 403;