Drafts: verify ownership in editdiscussion for #1672

vanilla · Mar 15, 2014 · 77b0517 · 77b0517
1 parent 79c9016
commit 77b0517
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/applications/vanilla/controllers/class.postcontroller.php b/applications/vanilla/controllers/class.postcontroller.php
@@ -291,6 +291,10 @@ public function EditDiscussion($DiscussionID = '', $DraftID = '') {
       if ($DraftID != '') {
          $this->Draft = $this->DraftModel->GetID($DraftID);
          $this->CategoryID = $this->Draft->CategoryID;
+
+         // Verify this is their draft
+         if (GetValue('InsertUserID', $this->Draft) != Gdn::Session()->UserID)
+            throw PermissionException();
       } else {
          $this->SetData('Discussion', $this->DiscussionModel->GetID($DiscussionID), TRUE);
          $this->CategoryID = $this->Discussion->CategoryID;
@@ -804,4 +808,4 @@ function CheckOrRadio($FieldName, $LabelCode, $ListOptions, $Attributes = array(
       $Result .= '</ul>';
       return $Result;
    }
-}
+}