Security: Deleted content exposure + revision history IDOR via sequential IDs #1506
Description
Summary
Two information disclosure issues allow access to deleted/pending content:
1. Deleted Answer Content via GET /answer/api/v1/answer/info (Low-Medium)
`AnswerService.Get()` calls `answerRepo.GetByID()` which fetches answers by raw ID with no `status != deleted` filter. Deleted answers are returned with full content to unauthenticated callers.
Secure comparison: `SearchList` correctly filters: `session.Where("status != ?", entity.AnswerStatusDeleted)`
2. Revision History IDOR via GET /answer/api/v1/activity/timeline/detail (Medium)
`GetObjectTimelineDetail` fetches revision content by sequential integer ID (`autoincr BIGINT`). No check for whether the associated question/answer is deleted or pending. Any authenticated user can enumerate `revision_id=1,2,3...` to read full content of deleted/pending questions and answers.
Secure comparison: `GetRevisionList` correctly checks `objInfo.IsDeleted()` before showing history. `GetQuestion` blocks access to deleted/pending content.
Impact
- Bypasses content moderation (admin-deleted content remains accessible)
- Reveals pending-review content before publication
- Sequential revision IDs make enumeration trivial
Discovery
Found through automated security research comparing content visibility controls across endpoints.