Commit b0deaad7 authored by Evan Prodromou's avatar Evan Prodromou

Add a check to prevent replying to an unscoped notice

parent 5147404e
......@@ -351,6 +351,10 @@ class Notice extends Memcached_DataObject
if (!empty($notice->reply_to)) {
$reply = Notice::staticGet('id', $notice->reply_to);
if (!$reply->inScope($profile)) {
throw new ClientException(sprintf(_("%s has no access to notice %d"),
$profile->nickname, $reply->id), 403);
}
$notice->conversation = $reply->conversation;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment