From b0deaad700e72a06bf11f044236ed9c27e0eccff Mon Sep 17 00:00:00 2001
From: Evan Prodromou <evan@status.net>
Date: Mon, 28 Mar 2011 12:01:08 -0400
Subject: [PATCH] Add a check to prevent replying to an unscoped notice

---
 classes/Notice.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/classes/Notice.php b/classes/Notice.php
index 69ed959f38..3780d52d56 100644
--- a/classes/Notice.php
+++ b/classes/Notice.php
@@ -351,6 +351,10 @@ class Notice extends Memcached_DataObject
 
         if (!empty($notice->reply_to)) {
             $reply = Notice::staticGet('id', $notice->reply_to);
+            if (!$reply->inScope($profile)) {
+                throw new ClientException(sprintf(_("%s has no access to notice %d"),
+                                                  $profile->nickname, $reply->id), 403);
+            }
             $notice->conversation = $reply->conversation;
         }
 
-- 
2.39.5