When creating a new Phame blog post, check that the author has permission to post to the blog

Summary:
Via HackerOne. We're missing this permissions check, so you can sneak around it with URL editing right now.

I checked the other queries in this application and they seem OK.

Test Plan: Tried to post to a blog I had no permission to join.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D8423

src/applications/phame/controller/post/PhamePostEditController.php

@@ -36,6 +36,11 @@ final class PhamePostEditController
       $blog = id(new PhameBlogQuery())
         ->setViewer($user)
         ->withIDs(array($request->getInt('blog')))
+        ->requireCapabilities(
+          array(
+            PhabricatorPolicyCapability::CAN_VIEW,
+            PhabricatorPolicyCapability::CAN_JOIN,
+          ))
         ->executeOne();
       if (!$blog) {
         return new Aphront404Response();