From c1d4186c9839e4d03d00fd8829c363db921d3def Mon Sep 17 00:00:00 2001
From: Evan Prodromou <evan@status.net>
Date: Mon, 28 Mar 2011 22:43:38 -0400
Subject: [PATCH] Disallow access to events and RSVPs out of scope

---
 plugins/Event/showevent.php | 10 ++++++++++
 plugins/Event/showrsvp.php  | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/plugins/Event/showevent.php b/plugins/Event/showevent.php
index 7fb702f9db..1d4ec49205 100644
--- a/plugins/Event/showevent.php
+++ b/plugins/Event/showevent.php
@@ -77,6 +77,16 @@ class ShoweventAction extends ShownoticeAction
             throw new ClientException(_('No such event.'), 404);
         }
 
+        if (!empty($cur)) {
+            $curProfile = $cur->getProfile();
+        } else {
+            $curProfile = null;
+        }
+
+        if (!$this->notice->inScope($curProfile)) {
+            throw new ClientException(_('Not available.'), 403);
+        }
+
         $this->user = User::staticGet('id', $this->event->profile_id);
 
         if (empty($this->user)) {
diff --git a/plugins/Event/showrsvp.php b/plugins/Event/showrsvp.php
index fde1d48f0e..0f13ca82ac 100644
--- a/plugins/Event/showrsvp.php
+++ b/plugins/Event/showrsvp.php
@@ -83,6 +83,16 @@ class ShowrsvpAction extends ShownoticeAction
             throw new ClientException(_('No such RSVP.'), 404);
         }
 
+        if (!empty($cur)) {
+            $curProfile = $cur->getProfile();
+        } else {
+            $curProfile = null;
+        }
+
+        if (!$this->notice->inScope($curProfile)) {
+            throw new ClientException(_('Not available.'), 403);
+        }
+
         $this->user = User::staticGet('id', $this->rsvp->profile_id);
 
         if (empty($this->user)) {