From eff3256f5937204f883207781c50399e9b6fd9b2 Mon Sep 17 00:00:00 2001
From: Mikael Nordfeldth <mmn@hethane.se>
Date: Sat, 31 Jan 2015 16:27:21 +0100
Subject: [PATCH] API notice access was not access restricted

---
 actions/apistatusesshow.php | 20 ++++++++------------
 actions/shownotice.php      |  2 +-
 2 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/actions/apistatusesshow.php b/actions/apistatusesshow.php
index 3a60b87637..2a7702ee3c 100644
--- a/actions/apistatusesshow.php
+++ b/actions/apistatusesshow.php
@@ -34,9 +34,7 @@
  * @link      http://status.net/
  */
 
-if (!defined('STATUSNET')) {
-    exit(1);
-}
+if (!defined('GNUSOCIAL')) { exit(1); }
 
 /**
  * Returns the notice specified by id as a Twitter-style status and inline user
@@ -65,7 +63,7 @@ class ApiStatusesShowAction extends ApiPrivateAuthAction
      *
      * @return boolean success flag
      */
-    function prepare($args)
+    protected function prepare(array $args=array())
     {
         parent::prepare($args);
 
@@ -76,12 +74,12 @@ class ApiStatusesShowAction extends ApiPrivateAuthAction
 
         $this->notice_id = (int)$this->trimmed('id');
 
-        if (empty($notice_id)) {
-            $this->notice_id = (int)$this->arg('id');
+        $this->notice = Notice::getKV($this->notice_id);
+        if (!$this->notice->inScope($this->scoped)) {
+            // TRANS: Client exception thrown when trying a view a notice the user has no access to.
+            throw new ClientException(_('Access restricted.'), 403);
         }
 
-        $this->notice = Notice::getKV((int)$this->notice_id);
-
         return true;
     }
 
@@ -90,13 +88,11 @@ class ApiStatusesShowAction extends ApiPrivateAuthAction
      *
      * Check the format and show the notice
      *
-     * @param array $args $_REQUEST data (unused)
-     *
      * @return void
      */
-    function handle($args)
+    protected function handle()
     {
-        parent::handle($args);
+        parent::handle();
 
         if (!in_array($this->format, array('xml', 'json', 'atom'))) {
             // TRANS: Client error displayed when coming across a non-supported API method.
diff --git a/actions/shownotice.php b/actions/shownotice.php
index 1d01244cc1..2576bcc111 100644
--- a/actions/shownotice.php
+++ b/actions/shownotice.php
@@ -77,7 +77,7 @@ class ShownoticeAction extends ManagedAction
 
         if (!$this->notice->inScope($this->scoped)) {
             // TRANS: Client exception thrown when trying a view a notice the user has no access to.
-            throw new ClientException(_('Not available.'), 403);
+            throw new ClientException(_('Access restricted.'), 403);
         }
 
         $this->profile = $this->notice->getProfile();