Disallow access to events and RSVPs out of scope

This commit is contained in:
Evan Prodromou 2011-03-28 22:43:38 -04:00
parent 7b8fc701e0
commit c1d4186c98
2 changed files with 20 additions and 0 deletions

View File

@ -77,6 +77,16 @@ class ShoweventAction extends ShownoticeAction
throw new ClientException(_('No such event.'), 404); throw new ClientException(_('No such event.'), 404);
} }
if (!empty($cur)) {
$curProfile = $cur->getProfile();
} else {
$curProfile = null;
}
if (!$this->notice->inScope($curProfile)) {
throw new ClientException(_('Not available.'), 403);
}
$this->user = User::staticGet('id', $this->event->profile_id); $this->user = User::staticGet('id', $this->event->profile_id);
if (empty($this->user)) { if (empty($this->user)) {

View File

@ -83,6 +83,16 @@ class ShowrsvpAction extends ShownoticeAction
throw new ClientException(_('No such RSVP.'), 404); throw new ClientException(_('No such RSVP.'), 404);
} }
if (!empty($cur)) {
$curProfile = $cur->getProfile();
} else {
$curProfile = null;
}
if (!$this->notice->inScope($curProfile)) {
throw new ClientException(_('Not available.'), 403);
}
$this->user = User::staticGet('id', $this->rsvp->profile_id); $this->user = User::staticGet('id', $this->rsvp->profile_id);
if (empty($this->user)) { if (empty($this->user)) {