Revision: 105
Author: [email protected]
Date: Tue Aug 4 10:33:38 2009
Log: fixing #39. missing security check while displaying messages for reply.
http://code.google.com/p/django-messages/source/detail?r=105
Modified:
/trunk/messages/views.py
=======================================
--- /trunk/messages/views.py Sun Feb 1 07:30:52 2009
+++ /trunk/messages/views.py Tue Aug 4 10:33:38 2009
@@ -99,6 +99,10 @@
``messages.utils`` to pre-format the quote.
"""
parent = get_object_or_404(Message, id=message_id)
+
+ if parent.sender != request.user and parent.recipient != request.user:
+ raise Http404
+
if request.method == "POST":
sender = request.user
form = form_class(request.POST, recipient_filter=recipient_filter)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pinax-updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/pinax-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
