From 75edfe8b31e96ed0b438a93864d17e9390a8a341 Mon Sep 17 00:00:00 2001
From: Ben Rog-Wilhelm <zorba-github@pavlovian.net>
Date: Mon, 4 Sep 2023 23:09:54 -0500
Subject: [PATCH] Fix: Mod-only information leaked via the API. (#696)

---
 files/classes/comment.py    | 12 +++++-------
 files/classes/submission.py | 12 +++++-------
 files/classes/user.py       |  1 -
 3 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/files/classes/comment.py b/files/classes/comment.py
index 7b9ab2d20..ab19fa71d 100644
--- a/files/classes/comment.py
+++ b/files/classes/comment.py
@@ -213,9 +213,6 @@ class Comment(CreatedBase):
 	@property
 	@lazy
 	def json_raw(self):
-		flags = {}
-		for f in self.flags(None): flags[f.user.username] = f.reason
-
 		data= {
 			'id': self.id,
 			'level': self.level,
@@ -230,12 +227,13 @@ class Comment(CreatedBase):
 			'is_pinned': self.is_pinned,
 			'distinguish_level': self.distinguish_level,
 			'post_id': self.post.id if self.post else 0,
-			'score': self.score,
-			'upvotes': self.upvotes,
-			'downvotes': self.downvotes,
 			'is_bot': self.is_bot,
-			'flags': flags,
 			}
+		
+		if not self.should_hide_score:
+			data['score'] = self.score
+			data['upvotes'] = self.upvotes
+			data['downvotes'] = self.downvotes
 
 		return data
 
diff --git a/files/classes/submission.py b/files/classes/submission.py
index d406aba4b..f539217aa 100644
--- a/files/classes/submission.py
+++ b/files/classes/submission.py
@@ -222,9 +222,6 @@ class Submission(CreatedBase):
 	@property
 	@lazy
 	def json_raw(self):
-		flags = {}
-		for f in self.flags(None): flags[f.user.username] = f.reason
-
 		data = {'author_name': self.author_name if self.author else '',
 				'permalink': self.permalink,
 				'shortlink': self.shortlink,
@@ -241,15 +238,16 @@ class Submission(CreatedBase):
 				'created_utc': self.created_utc,
 				'edited_utc': self.edited_utc or 0,
 				'comment_count': self.comment_count,
-				'score': self.score,
-				'upvotes': self.upvotes,
-				'downvotes': self.downvotes,
 				'stickied': self.stickied,
 				'private' : self.private,
 				'distinguish_level': self.distinguish_level,
 				'voted': self.voted if hasattr(self, 'voted') else 0,
-				'flags': flags,
 				}
+		
+		if not self.should_hide_score:
+			data['score'] = self.score
+			data['upvotes'] = self.upvotes
+			data['downvotes'] = self.downvotes
 
 		return data
 
diff --git a/files/classes/user.py b/files/classes/user.py
index 658dace27..7ea2f2bd0 100644
--- a/files/classes/user.py
+++ b/files/classes/user.py
@@ -519,7 +519,6 @@ class User(CreatedBase):
 		data = self.json_core
 
 		data["badges"] = [x.json for x in self.badges]
-		data['coins'] = self.coins
 		data['post_count'] = self.post_count
 		data['comment_count'] = self.comment_count