disallow access to out-of-scope poll

author Evan Prodromou <evan@status.net>

Tue, 29 Mar 2011 02:50:52 +0000 (22:50 -0400)

committer Evan Prodromou <evan@status.net>

Tue, 29 Mar 2011 02:50:52 +0000 (22:50 -0400)
author Evan Prodromou <evan@status.net>
Tue, 29 Mar 2011 02:50:52 +0000 (22:50 -0400)
committer Evan Prodromou <evan@status.net>
Tue, 29 Mar 2011 02:50:52 +0000 (22:50 -0400)
diff --git a/plugins/Poll/showpoll.php b/plugins/Poll/showpoll.php

index d95b1c512ef34acfcae72858827ccd58d0869b71..d59d9e28f3489ec0f7295e879f5d5fb16ae8d7ef 100644 (file)
--- a/plugins/Poll/showpoll.php
+++ b/plugins/Poll/showpoll.php
@@ -76,6 +76,18 @@ class ShowPollAction extends ShownoticeAction
              throw new ClientException(_m('No such poll notice.'), 404);
          }
  
+        $cur = common_current_user();
+
+        if (!empty($cur)) {
+            $curProfile = $cur->getProfile();
+        } else {
+            $curProfile = null;
+        }
+
+        if (!$this->notice->inScope($curProfile)) {
+            throw new ClientException(_('Not available.'), 403);
+        }
+
          $this->user = User::staticGet('id', $this->poll->profile_id);
  
          if (empty($this->user)) {
author	Evan Prodromou <evan@status.net>
	Tue, 29 Mar 2011 02:50:52 +0000 (22:50 -0400)
committer	Evan Prodromou <evan@status.net>
	Tue, 29 Mar 2011 02:50:52 +0000 (22:50 -0400)