From 7b8fc701e0f27114e310dcae53c6a727ab05254b Mon Sep 17 00:00:00 2001
From: Evan Prodromou <evan@status.net>
Date: Mon, 28 Mar 2011 22:21:41 -0400
Subject: [PATCH] don't show notices to out-of-scope viewers

---
 actions/shownotice.php | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/actions/shownotice.php b/actions/shownotice.php
index f6074faddc..7127a60db4 100644
--- a/actions/shownotice.php
+++ b/actions/shownotice.php
@@ -79,7 +79,7 @@ class ShownoticeAction extends OwnerDesignAction
 
         $id = $this->arg('notice');
 
-        $this->notice = Notice::staticGet($id);
+        $this->notice = Notice::staticGet('id', $id);
 
         if (empty($this->notice)) {
             // Did we used to have it, and it got deleted?
@@ -94,6 +94,18 @@ class ShownoticeAction extends OwnerDesignAction
             return false;
         }
 
+        $cur = common_current_user();
+
+        if (!empty($cur)) {
+            $curProfile = $cur->getProfile();
+        } else {
+            $curProfile = null;
+        }
+
+        if (!$this->notice->inScope($curProfile)) {
+            throw new ClientException(_('Not available.'), 403);
+        }
+
         $this->profile = $this->notice->getProfile();
 
         if (empty($this->profile)) {