From 2856982a1c378ec45722f04aadf37c82b87986cb Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Mon, 28 Mar 2011 22:50:45 -0400 Subject: [PATCH] disallow access to out-of-scope bookmark --- plugins/Bookmark/showbookmark.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/plugins/Bookmark/showbookmark.php b/plugins/Bookmark/showbookmark.php index 6bebffb68e..435d85940a 100644 --- a/plugins/Bookmark/showbookmark.php +++ b/plugins/Bookmark/showbookmark.php @@ -76,6 +76,16 @@ class ShowbookmarkAction extends ShownoticeAction throw new ClientException(_('No such bookmark.'), 404); } + if (!empty($cur)) { + $curProfile = $cur->getProfile(); + } else { + $curProfile = null; + } + + if (!$this->notice->inScope($curProfile)) { + throw new ClientException(_('Not available.'), 403); + } + $this->user = User::staticGet('id', $this->bookmark->profile_id); if (empty($this->user)) { -- 2.39.5