From 908551ae3d20cab1a8b6c39eeda82c0c4af4c92b Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Mon, 28 Mar 2011 22:50:52 -0400 Subject: [PATCH] disallow access to out-of-scope poll --- plugins/Poll/showpoll.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/plugins/Poll/showpoll.php b/plugins/Poll/showpoll.php index d95b1c512e..d59d9e28f3 100644 --- a/plugins/Poll/showpoll.php +++ b/plugins/Poll/showpoll.php @@ -76,6 +76,18 @@ class ShowPollAction extends ShownoticeAction throw new ClientException(_m('No such poll notice.'), 404); } + $cur = common_current_user(); + + if (!empty($cur)) { + $curProfile = $cur->getProfile(); + } else { + $curProfile = null; + } + + if (!$this->notice->inScope($curProfile)) { + throw new ClientException(_('Not available.'), 403); + } + $this->user = User::staticGet('id', $this->poll->profile_id); if (empty($this->user)) {