disallow access to out-of-scope bookmark

author Evan Prodromou <evan@status.net>

Tue, 29 Mar 2011 02:50:45 +0000 (22:50 -0400)

committer Evan Prodromou <evan@status.net>

Tue, 29 Mar 2011 02:50:45 +0000 (22:50 -0400)
author Evan Prodromou <evan@status.net>
Tue, 29 Mar 2011 02:50:45 +0000 (22:50 -0400)
committer Evan Prodromou <evan@status.net>
Tue, 29 Mar 2011 02:50:45 +0000 (22:50 -0400)
diff --git a/plugins/Bookmark/showbookmark.php b/plugins/Bookmark/showbookmark.php

index 6bebffb68e2e81710ed96ede63b9752acbae2073..435d85940a506434f6344313afaf071b8830d881 100644 (file)
--- a/plugins/Bookmark/showbookmark.php
+++ b/plugins/Bookmark/showbookmark.php
@@ -76,6 +76,16 @@ class ShowbookmarkAction extends ShownoticeAction
              throw new ClientException(_('No such bookmark.'), 404);
          }
  
+        if (!empty($cur)) {
+            $curProfile = $cur->getProfile();
+        } else {
+            $curProfile = null;
+        }
+
+        if (!$this->notice->inScope($curProfile)) {
+            throw new ClientException(_('Not available.'), 403);
+        }
+
          $this->user = User::staticGet('id', $this->bookmark->profile_id);
  
          if (empty($this->user)) {
author	Evan Prodromou <evan@status.net>
	Tue, 29 Mar 2011 02:50:45 +0000 (22:50 -0400)
committer	Evan Prodromou <evan@status.net>
	Tue, 29 Mar 2011 02:50:45 +0000 (22:50 -0400)