Commits

Anonymous committed e5201b2

security fixes

Comments (0)

Files changed (1)

newsmeme/views/post.py

-from flask import Module, abort, jsonify, \
+from flask import Module, abort, jsonify, request,  \
     g, url_for, redirect, flash
 
 from flaskext.mail import Message
 
 post = Module(__name__)
 
-
 @post.route("/<int:post_id>/")
 @post.route("/<int:post_id>/s/<slug>/")
 @keep_login_url
 def view(post_id, slug=None):
     post = Post.query.get_or_404(post_id)
     if not post.can_access(g.user):
-        abort(403)
+        if not g.user:
+            flash(_("You must be logged in to see this post"), "error")
+            return redirect(url_for("account.login", next=request.path))
+        else:
+            flash(_("You must be a friend to see this post"), "error")
+            abort(403)
 
     def edit_comment_form(comment):
         return CommentForm(obj=comment)
 @login_required
 def add_comment(post_id, parent_id=None):
     post = Post.query.get_or_404(post_id)
+    if not post.can_access(g.user):
+        abort(403)
 
     parent = Comment.query.get_or_404(parent_id) if parent_id else None