Permalink
Browse files

share emails: Prohibit sharing posts the user cannot view.

Thanks to a report by Jordan Milne (/u/largenocream).
  • Loading branch information...
1 parent 2a285f8 commit 959240ab9ce7a27a6371fe75e3e623feed279848 @chromakode chromakode committed Feb 28, 2014
Showing with 2 additions and 0 deletions.
  1. +2 −0 r2/r2/controllers/api.py
View
@@ -1534,6 +1534,8 @@ def POST_share(self, shareform, jquery, emails, thing, share_from, reply_to,
pass
elif shareform.has_errors("ratelimit", errors.RATELIMIT):
pass
+ elif not sr.can_view(c.user):
+ return abort(403, 'forbidden')
else:
emails, users = emails
c.user.add_share_emails(emails)

0 comments on commit 959240a

Please sign in to comment.