From: Evan Prodromou <evan@status.net>
Date: Tue, 29 Mar 2011 02:43:38 +0000 (-0400)
Subject: Disallow access to events and RSVPs out of scope
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=c1d4186c9839e4d03d00fd8829c363db921d3def;p=quix0rs-gnu-social.git

Disallow access to events and RSVPs out of scope
---

diff --git a/plugins/Event/showevent.php b/plugins/Event/showevent.php
index 7fb702f9db..1d4ec49205 100644
--- a/plugins/Event/showevent.php
+++ b/plugins/Event/showevent.php
@@ -77,6 +77,16 @@ class ShoweventAction extends ShownoticeAction
             throw new ClientException(_('No such event.'), 404);
         }
 
+        if (!empty($cur)) {
+            $curProfile = $cur->getProfile();
+        } else {
+            $curProfile = null;
+        }
+
+        if (!$this->notice->inScope($curProfile)) {
+            throw new ClientException(_('Not available.'), 403);
+        }
+
         $this->user = User::staticGet('id', $this->event->profile_id);
 
         if (empty($this->user)) {
diff --git a/plugins/Event/showrsvp.php b/plugins/Event/showrsvp.php
index fde1d48f0e..0f13ca82ac 100644
--- a/plugins/Event/showrsvp.php
+++ b/plugins/Event/showrsvp.php
@@ -83,6 +83,16 @@ class ShowrsvpAction extends ShownoticeAction
             throw new ClientException(_('No such RSVP.'), 404);
         }
 
+        if (!empty($cur)) {
+            $curProfile = $cur->getProfile();
+        } else {
+            $curProfile = null;
+        }
+
+        if (!$this->notice->inScope($curProfile)) {
+            throw new ClientException(_('Not available.'), 403);
+        }
+
         $this->user = User::staticGet('id', $this->rsvp->profile_id);
 
         if (empty($this->user)) {