mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] changelog2009-04-07 08:11 pm
  • Add Memory
  • Share This Entry

[dw-free] Do a security check before allowing someone to add a memory to an entry they can't see.

[commit: http://hg.dwscoalition.org/dw-free/rev/df2236b33406]

Do a security check before allowing someone to add a memory to an entry they
can't see.

Patch by [staff profile] mark.

Files modified:
  • htdocs/tools/memadd.bml
--------------------------------------------------------------------------------
diff -r 9da831501672 -r df2236b33406 htdocs/tools/memadd.bml
--- a/htdocs/tools/memadd.bml	Tue Apr 07 19:56:30 2009 +0000
+++ b/htdocs/tools/memadd.bml	Tue Apr 07 20:11:23 2009 +0000
@@ -91,9 +91,16 @@
         return;
     }
 
-    my $dbcr = LJ::get_cluster_reader($ju);
-
+    # do access check to see if they can see this entry
     my $log = LJ::get_log2_row($ju, $itemid);
+    if ( $log ) {
+        my $entry = LJ::Entry->new_from_row( %$log );
+        if ( $entry && ! $entry->visible_to( $remote ) ) {
+            $title = $ML{'Error'};
+            $body = "You are not authorized to view this entry.<br/>";
+            return;
+        }
+    }
 
     # check to see if it already is memorable (thus we're editing, not adding);
     my $memory = LJ::Memories::get_by_ditemid($memoryu, $oldstyle ? 0 : $jid, $ditemid);
@@ -114,7 +121,10 @@
 
         return;
     }
+
     my $subject = LJ::get_logtext2($ju, $itemid)->{$log->{jitemid}}[0];
+
+    my $dbcr = LJ::get_cluster_reader($ju);
 
     # if the entry is pre-UTF-8 conversion, the
     # subject may need conversion into UTF-8
--------------------------------------------------------------------------------