This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch db/misc_aug_2023 in repository https://gitbox.apache.org/repos/asf/allura.git
commit 39c2e595362b968d07a12d322a89f732e6b6c11c Author: Dave Brondsema <[email protected]> AuthorDate: Mon Aug 21 17:11:40 2023 -0400 [#2023] don't allow accessing a thread via another proj/app --- Allura/allura/controllers/discuss.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Allura/allura/controllers/discuss.py b/Allura/allura/controllers/discuss.py index 43478c9b3..5756ec9c6 100644 --- a/Allura/allura/controllers/discuss.py +++ b/Allura/allura/controllers/discuss.py @@ -187,7 +187,7 @@ class ThreadController(BaseController, FeedController, metaclass=h.ProxiedAttrMe def __init__(self, discussion_controller, thread_id): self._discussion_controller = discussion_controller self.discussion = discussion_controller.discussion - self.thread = self.M.Thread.query.get(_id=thread_id) + self.thread = self.M.Thread.query.get(_id=thread_id, app_config_id=c.app.config._id) if not self.thread: url = f'/p/{c.project.shortname}/discussion/{c.forum.shortname}/' utils.permanent_redirect(url)
