Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

access to private discussions

carlokokcarlokok New
edited May 2011 in Vanilla 2.0 - 2.8
I noticed that if I knew the ID, I could access a private discussion.

class DiscussionController extends APIController
{
public $Uses = array('Form', 'Database', 'CategoryModel', 'DiscussionModel', 'CommentModel');

public function Index()
{
$Limit = GetIncomingValue('limit', 5);
$Offset = GetIncomingValue('offset', 0);
$DiscussionID = GetIncomingValue('id', 0);
$Session = Gdn::Session();
$Discussion = $this->DiscussionModel->GetID($DiscussionID);
$this->Permission('Vanilla.Discussions.View', TRUE, 'Category', $Discussion->PermissionCategoryID); <<<<< ADDED


that seems to fix it but I dont know if it's the right fix. Anyone know?
Sign In or Register to comment.