Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

share emails: Prohibit sharing posts the user cannot view.

Thanks to a report by Jordan Milne (/u/largenocream).
  • Loading branch information...
commit 959240ab9ce7a27a6371fe75e3e623feed279848 1 parent 2a285f8
@chromakode chromakode authored
Showing with 2 additions and 0 deletions.
  1. +2 −0  r2/r2/controllers/api.py
View
2  r2/r2/controllers/api.py
@@ -1534,6 +1534,8 @@ def POST_share(self, shareform, jquery, emails, thing, share_from, reply_to,
pass
elif shareform.has_errors("ratelimit", errors.RATELIMIT):
pass
+ elif not sr.can_view(c.user):
+ return abort(403, 'forbidden')
else:
emails, users = emails
c.user.add_share_emails(emails)
Please sign in to comment.
Something went wrong with that request. Please try again.