summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2010-12-19 19:46:41 +0100
committerYorhel <git@yorhel.nl>2010-12-19 19:46:41 +0100
commit632df9599de8dbb25707b0bf8caea075c55cfa3f (patch)
tree0df4e565278474818127d8e5e6e2a8dc768018b4
parentdf7f5c13faab514b7ff8ea76635059b9c09629af (diff)
Bugfix: Don't allow others to open /u+/votes when show_list is false
-rw-r--r--ChangeLog1
-rw-r--r--lib/VNDB/Handler/ULists.pm3
2 files changed, 4 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 52046c44..58c6795d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@
- VNDBUtil::bb2html(): Fixed bug when the string starts with a VNDBID
- VNDBUtil::bb2html(): Fixed bug with lowercasing all [url=..] URLs
- Fixed perl warning on /v/search redirect without search query
+ - Bugfix: Don't allow others to open /u+/votes when show_list is false
2.15 - 2010-12-15
- Removed expand/collapse from history browser and /u+/posts and switched to
diff --git a/lib/VNDB/Handler/ULists.pm b/lib/VNDB/Handler/ULists.pm
index c8119000..6efb0a13 100644
--- a/lib/VNDB/Handler/ULists.pm
+++ b/lib/VNDB/Handler/ULists.pm
@@ -104,6 +104,9 @@ sub votelist {
my $obj = $type eq 'v' ? $self->dbVNGet(id => $id)->[0] : $self->dbUserGet(uid => $id)->[0];
return 404 if !$obj->{id};
+ my $own = $type eq 'u' && $self->authInfo->{id} && $self->authInfo->{id} == $id;
+ return 404 if $type eq 'u' && !$own && !($obj->{show_list} || $self->authCan('usermod'));
+
my $f = $self->formValidate(
{ name => 'p', required => 0, default => 1, template => 'int' },
{ name => 'o', required => 0, default => 'd', enum => ['a', 'd'] },