don't show notices to out-of-scope viewers

diff --git a/actions/shownotice.php b/actions/shownotice.php
index f6074faddc3d80437601a410ada1b26216f30b69..7127a60db4c216104223f51aabd5efb6e38698e3 100644 (file)
--- a/actions/shownotice.php
+++ b/actions/shownotice.php
@@ -79,7 +79,7 @@ class ShownoticeAction extends OwnerDesignAction
 
         $id = $this->arg('notice');
 
-        $this->notice = Notice::staticGet($id);
+        $this->notice = Notice::staticGet('id', $id);
 
         if (empty($this->notice)) {
             // Did we used to have it, and it got deleted?
@@ -94,6 +94,18 @@ class ShownoticeAction extends OwnerDesignAction
             return false;
         }
 
+        $cur = common_current_user();
+
+        if (!empty($cur)) {
+            $curProfile = $cur->getProfile();
+        } else {
+            $curProfile = null;
+        }
+
+        if (!$this->notice->inScope($curProfile)) {
+            throw new ClientException(_('Not available.'), 403);
+        }
+
         $this->profile = $this->notice->getProfile();
 
         if (empty($this->profile)) {