Ensure only the application's owner can edit it

diff --git a/actions/editapplication.php b/actions/editapplication.php
index a6db87c61e21747479b608064b9c9f91c698d988..9cc3e3cead0cac9670a11f2761d7e0f5d9f11118 100644 (file)
--- a/actions/editapplication.php
+++ b/actions/editapplication.php
@@ -45,9 +45,9 @@ if (!defined('STATUSNET') && !defined('LACONICA')) {
 
 class EditApplicationAction extends OwnerDesignAction
 {
-    var $msg = null;
-
-    var $app = null;
+    var $msg   = null;
+    var $owner = null;
+    var $app   = null;
 
     function title()
     {
@@ -68,7 +68,14 @@ class EditApplicationAction extends OwnerDesignAction
         }
 
         $id = (int)$this->arg('id');
-        $this->app = Oauth_application::staticGet($id);
+
+        $this->app   = Oauth_application::staticGet($id);
+        $this->owner = User::staticGet($this->app->owner);
+        $cur         = common_current_user();
+
+        if ($cur->id != $this->owner->id) {
+            $this->clientError(_('You are not the owner of this application.'), 401);
+        }
 
         if (!$this->app) {
             $this->clientError(_('No such application.'));