Add a check to prevent replying to an unscoped notice

diff --git a/classes/Notice.php b/classes/Notice.php
index 69ed959f3896969dcca2e3e31b1f10a8553db878..3780d52d561d81ebb93768235a50194947f2f8d6 100644 (file)
--- a/classes/Notice.php
+++ b/classes/Notice.php
@@ -351,6 +351,10 @@ class Notice extends Memcached_DataObject
 
         if (!empty($notice->reply_to)) {
             $reply = Notice::staticGet('id', $notice->reply_to);
+            if (!$reply->inScope($profile)) {
+                throw new ClientException(sprintf(_("%s has no access to notice %d"),
+                                                  $profile->nickname, $reply->id), 403);
+            }
             $notice->conversation = $reply->conversation;
         }