Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
access to private discussions
This discussion is related to the api (json) addon.
carlokok
New
I noticed that if I knew the ID, I could access a private discussion.
class DiscussionController extends APIController
{
public $Uses = array('Form', 'Database', 'CategoryModel', 'DiscussionModel', 'CommentModel');
public function Index()
{
$Limit = GetIncomingValue('limit', 5);
$Offset = GetIncomingValue('offset', 0);
$DiscussionID = GetIncomingValue('id', 0);
$Session = Gdn::Session();
$Discussion = $this->DiscussionModel->GetID($DiscussionID);
$this->Permission('Vanilla.Discussions.View', TRUE, 'Category', $Discussion->PermissionCategoryID); <<<<< ADDED
that seems to fix it but I dont know if it's the right fix. Anyone know?
class DiscussionController extends APIController
{
public $Uses = array('Form', 'Database', 'CategoryModel', 'DiscussionModel', 'CommentModel');
public function Index()
{
$Limit = GetIncomingValue('limit', 5);
$Offset = GetIncomingValue('offset', 0);
$DiscussionID = GetIncomingValue('id', 0);
$Session = Gdn::Session();
$Discussion = $this->DiscussionModel->GetID($DiscussionID);
$this->Permission('Vanilla.Discussions.View', TRUE, 'Category', $Discussion->PermissionCategoryID); <<<<< ADDED
that seems to fix it but I dont know if it's the right fix. Anyone know?
1