Drafts: verify ownership in editdiscussion for #1672

vanilla · Mar 15, 2014 · b25abfb · b25abfb
1 parent ab3b98e
commit b25abfb
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/applications/vanilla/controllers/class.postcontroller.php b/applications/vanilla/controllers/class.postcontroller.php
@@ -240,6 +240,10 @@ public function EditDiscussion($DiscussionID = '', $DraftID = '') {
       if ($DraftID != '') {
          $this->Draft = $this->DraftModel->GetID($DraftID);
          $this->CategoryID = $this->Draft->CategoryID;
+
+         // Verify this is their draft
+         if (GetValue('InsertUserID', $this->Draft) != Gdn::Session()->UserID)
+            throw PermissionException();
       } else {
          $this->Discussion = $this->DiscussionModel->GetID($DiscussionID);
          $this->CategoryID = $this->Discussion->CategoryID;
@@ -540,4 +544,4 @@ public function Initialize() {
       parent::Initialize();
       $this->AddCssFile('vanilla.css');
    }
-}
+}