Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
access to private discussions
carlokok
New
I noticed that if I knew the ID, I could access a private discussion.
class DiscussionController extends APIController
{
public $Uses = array('Form', 'Database', 'CategoryModel', 'DiscussionModel', 'CommentModel');
public function Index()
{
$Limit = GetIncomingValue('limit', 5);
$Offset = GetIncomingValue('offset', 0);
$DiscussionID = GetIncomingValue('id', 0);
$Session = Gdn::Session();
$Discussion = $this->DiscussionModel->GetID($DiscussionID);
$this->Permission('Vanilla.Discussions.View', TRUE, 'Category', $Discussion->PermissionCategoryID); <<<<< ADDED
that seems to fix it but I dont know if it's the right fix. Anyone know?
class DiscussionController extends APIController
{
public $Uses = array('Form', 'Database', 'CategoryModel', 'DiscussionModel', 'CommentModel');
public function Index()
{
$Limit = GetIncomingValue('limit', 5);
$Offset = GetIncomingValue('offset', 0);
$DiscussionID = GetIncomingValue('id', 0);
$Session = Gdn::Session();
$Discussion = $this->DiscussionModel->GetID($DiscussionID);
$this->Permission('Vanilla.Discussions.View', TRUE, 'Category', $Discussion->PermissionCategoryID); <<<<< ADDED
that seems to fix it but I dont know if it's the right fix. Anyone know?
1