Disallow access to events and RSVPs out of scope
This commit is contained in:
parent
7b8fc701e0
commit
c1d4186c98
@ -77,6 +77,16 @@ class ShoweventAction extends ShownoticeAction
|
||||
throw new ClientException(_('No such event.'), 404);
|
||||
}
|
||||
|
||||
if (!empty($cur)) {
|
||||
$curProfile = $cur->getProfile();
|
||||
} else {
|
||||
$curProfile = null;
|
||||
}
|
||||
|
||||
if (!$this->notice->inScope($curProfile)) {
|
||||
throw new ClientException(_('Not available.'), 403);
|
||||
}
|
||||
|
||||
$this->user = User::staticGet('id', $this->event->profile_id);
|
||||
|
||||
if (empty($this->user)) {
|
||||
|
@ -83,6 +83,16 @@ class ShowrsvpAction extends ShownoticeAction
|
||||
throw new ClientException(_('No such RSVP.'), 404);
|
||||
}
|
||||
|
||||
if (!empty($cur)) {
|
||||
$curProfile = $cur->getProfile();
|
||||
} else {
|
||||
$curProfile = null;
|
||||
}
|
||||
|
||||
if (!$this->notice->inScope($curProfile)) {
|
||||
throw new ClientException(_('Not available.'), 403);
|
||||
}
|
||||
|
||||
$this->user = User::staticGet('id', $this->rsvp->profile_id);
|
||||
|
||||
if (empty($this->user)) {
|
||||
|
Loading…
Reference in New Issue
Block a user