]> git.mxchange.org Git - quix0rs-gnu-social.git/blobdiff - plugins/Event/showrsvp.php
projects / quix0rs-gnu-social.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Disallow access to events and RSVPs out of scope
[quix0rs-gnu-social.git] / plugins / Event / showrsvp.php
diff --git a/plugins/Event/showrsvp.php b/plugins/Event/showrsvp.php
index fde1d48f0e773d0d85b7ebf8a60b15603ff46559..0f13ca82acdc400638cb68c9219868ba902ad276 100644 (file)
--- a/plugins/Event/showrsvp.php
+++ b/plugins/Event/showrsvp.php
@@ -83,6 +83,16 @@ class ShowrsvpAction extends ShownoticeAction
             throw new ClientException(_('No such RSVP.'), 404);
         }
 
+        if (!empty($cur)) {
+            $curProfile = $cur->getProfile();
+        } else {
+            $curProfile = null;
+        }
+
+        if (!$this->notice->inScope($curProfile)) {
+            throw new ClientException(_('Not available.'), 403);
+        }
+
         $this->user = User::staticGet('id', $this->rsvp->profile_id);
 
         if (empty($this->user)) {
This is my personal clone from the wonderful software GNUSocial. I may fix or break things here, so use it on your own risk. :-)