Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

access to private discussions

This discussion is related to the api (json) addon.
carlokokcarlokok New
edited May 2011 in Vanilla 2.0 - 2.8
I noticed that if I knew the ID, I could access a private discussion.

class DiscussionController extends APIController
public $Uses = array('Form', 'Database', 'CategoryModel', 'DiscussionModel', 'CommentModel');

public function Index()
$Limit = GetIncomingValue('limit', 5);
$Offset = GetIncomingValue('offset', 0);
$DiscussionID = GetIncomingValue('id', 0);
$Session = Gdn::Session();
$Discussion = $this->DiscussionModel->GetID($DiscussionID);
$this->Permission('Vanilla.Discussions.View', TRUE, 'Category', $Discussion->PermissionCategoryID); <<<<< ADDED

that seems to fix it but I dont know if it's the right fix. Anyone know?
Sign In or Register to comment.