From: Evan Prodromou Date: Tue, 29 Mar 2011 02:43:38 +0000 (-0400) Subject: Disallow access to events and RSVPs out of scope X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=c1d4186c9839e4d03d00fd8829c363db921d3def;p=quix0rs-gnu-social.git Disallow access to events and RSVPs out of scope --- diff --git a/plugins/Event/showevent.php b/plugins/Event/showevent.php index 7fb702f9db..1d4ec49205 100644 --- a/plugins/Event/showevent.php +++ b/plugins/Event/showevent.php @@ -77,6 +77,16 @@ class ShoweventAction extends ShownoticeAction throw new ClientException(_('No such event.'), 404); } + if (!empty($cur)) { + $curProfile = $cur->getProfile(); + } else { + $curProfile = null; + } + + if (!$this->notice->inScope($curProfile)) { + throw new ClientException(_('Not available.'), 403); + } + $this->user = User::staticGet('id', $this->event->profile_id); if (empty($this->user)) { diff --git a/plugins/Event/showrsvp.php b/plugins/Event/showrsvp.php index fde1d48f0e..0f13ca82ac 100644 --- a/plugins/Event/showrsvp.php +++ b/plugins/Event/showrsvp.php @@ -83,6 +83,16 @@ class ShowrsvpAction extends ShownoticeAction throw new ClientException(_('No such RSVP.'), 404); } + if (!empty($cur)) { + $curProfile = $cur->getProfile(); + } else { + $curProfile = null; + } + + if (!$this->notice->inScope($curProfile)) { + throw new ClientException(_('Not available.'), 403); + } + $this->user = User::staticGet('id', $this->rsvp->profile_id); if (empty($this->user)) {